No category

Download User Manual

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

Transcript

SSL/IPSec VPN Firewall
4WAN 4LAN SSL/ IPSec VPN Firewall
Load Balance, Bandwidth Management, and Network Security
English User’s Manual
1
SSL/IPSec VPN Firewall
Content
I. Introduction ............................................................................................................................................... 7
II. Multi-WAN Router Installation ............................................................................................................. 10
2.1 Systematic Setting Process ........................................................................................................... 10
2.2 Setting Flow Chart ........................................................................................................................... 10
III. Hardware Installation ........................................................................................................................... 13
3.1 Router LED Signal ........................................................................................................................... 13
3.2 Router Network Connection ........................................................................................................... 15
IV. Login Router ........................................................................................................................................... 16
V. Device Spec Verification, Status Display and Login Password and Time Setting .............................. 18
5.1 Home Page ....................................................................................................................................... 18
5.1.1 WAN Status .............................................................................................................................................. 18
5.1.2 Physical Port Status.................................................................................................................................. 19
5.1.3 System Information .................................................................................................................................. 21
5.1.4 Firewall Status ......................................................................................................................................... 22
5.1.5 Log Setting Status .................................................................................................................................... 22
5.2 Change and Set Login Password and Time ................................................................................. 24
5.2.1 Password Setting ...................................................................................................................................... 24
5.2.2 Time ......................................................................................................................................................... 25
VI. Network Configuration.......................................................................................................................... 27
6.1 Network Connection ....................................................................................................................... 27
6.1.1 Host Name and Domain Name ................................................................................................................ 28
6.1.2 LAN Setting ............................................................................................................................................. 28
6.1.3 WAN & DMZ Settings ............................................................................................................................. 29
6.2 Multi- WAN Setting .......................................................................................................................... 45
6.2.1 Load Balance Mode ................................................................................................................................. 46
6.2.2 Network Detection Service ...................................................................................................................... 53
6.2.3 Protocol Binding ...................................................................................................................................... 56
VII. Intranet Configuration ......................................................................................................................... 68
7.1 Port Management ............................................................................................................................ 68
7.2 Port Status ....................................................................................................................................... 69
7.3 IP/ DHCP ........................................................................................................................................... 71
7.4 DHCP Status .................................................................................................................................... 73
7.5 IP & MAC Binding ............................................................................................................................ 76
7.6 IP Group Management .................................................................................................................... 80
1
SSL/IPSec VPN Firewall
7.7 Port Group Management ................................................................................................................ 82
VIII. QoS (Quality of Service) ..................................................................................................................... 85
8.1 Bandwidth Management (QoS) ...................................................................................................... 85
8.1.1 Bandwidth Management .......................................................................................................................... 87
8.1.2 QoS .......................................................................................................................................................... 87
8.1.3 Smart QoS ................................................................................................................................................ 91
8.1.4 Bandwidth Management Scheduling ....................................................................................................... 92
8.1.5 Exception IP address ................................................................................................................................ 93
8.2 Session control................................................................................................................................ 94
8.3 Hardware Optimization (Future Feature) ...................................................................................... 98
IX. Firewall ................................................................................................................................................. 100
9.1 General Policy................................................................................................................................ 100
9.2 Access Rule ................................................................................................................................... 107
9.2.1 Default Access Rule ............................................................................................................................... 107
9.2.2 Add New Access Rule ............................................................................................................................ 109
9.3 Content Filter ................................................................................................................................. 111
X. VPN (Virtual Private Network) ............................................................................................................ 117
10.1 VPN ............................................................................................................................................... 117
10.1.1. Display All VPN Summary ................................................................................................................. 117
10.1.2. Add a New VPN Tunnel...................................................................................................................... 121
10.1.3. PPTP Setting ....................................................................................................................................... 149
10.1.4. VPN Pass Through .............................................................................................................................. 152
10.2. QnoKey ........................................................................................................................................ 153
10.2.1. QnoKey Summary .............................................................................................................................. 153
10.2.2 Qnokey Group Setup ............................................................................................................................ 154
10.2.3 Qnokey Account List ........................................................................................................................... 157
10.3. QVM VPN Function Setup .......................................................................................................... 159
10.3.1. QVM Server Settings .......................................................................................................................... 159
10.3.2. QVM Status ........................................................................................................................................ 161
10.3.3. QVM Client Settings (Future Feature) ................................................................................................ 162
XI. SSL VPN................................................................................................................................................ 164
11.1 Status ............................................................................................................................................ 164
11.2 Group Summary .......................................................................................................................... 165
11.3 Group Management ..................................................................................................................... 166
11.4 Domain Management .................................................................................................................. 185
2
SSL/IPSec VPN Firewall
11.5 User Management ........................................................................................................................ 186
11.6 Service Resource Management ................................................................................................. 189
11.6.1 Banner .................................................................................................................................................. 190
11.6.2 Resource Configuration ....................................................................................................................... 190
11.7 Link to Portal ................................................................................................................................ 192
11.8 Advanced Settings ...................................................................................................................... 193
11.8.1 Virtual Passage ..................................................................................................................................... 194
11.8.2 Advanced Configurations ..................................................................................................................... 196
11.8.3 SSL Upgrade Serial Number ................................................................................................................ 199
XII. Advanced Function ............................................................................................................................. 200
12.1 DMZ/Forwarding .......................................................................................................................... 200
12.1.1 DMZ Configuration ............................................................................................................................. 200
12.1.2 Port Range Forwarding ........................................................................................................................ 201
12.2 UPnP ............................................................................................................................................. 204
12.3 Routing ......................................................................................................................................... 205
12.3.1 Dynamic Routing ................................................................................................................................. 206
12.3.2 Static Routing ...................................................................................................................................... 206
12.4 One to One NAT ........................................................................................................................... 208
12.5 DDNS- Dynamic Domain Name Service .................................................................................... 212
12.6 MAC Clone ................................................................................................................................... 214
12.7 Inbound Load Balance ................................................................................................................ 215
XIII. System Tool ........................................................................................................................................ 223
13.1 Diagnostic .................................................................................................................................... 223
13.2 Firmware Upgrade ....................................................................................................................... 224
13.3 Configuration Backup ................................................................................................................. 225
13.4 SNMP ............................................................................................................................................ 226
13.5 System Recover .......................................................................................................................... 227
13.6 High Availability ........................................................................................................................... 229
11.7 License Key .................................................................................................................................. 234
XIV. Log....................................................................................................................................................... 236
14.1 System Log .................................................................................................................................. 236
14.2 System Statistic ........................................................................................................................... 240
14.3 Traffic Statistic ............................................................................................................................. 241
14.4 Connection Statistic (Future Feature) ....................................................................................... 245
14.5 IP/ Port Statistic ........................................................................................................................... 247
3
SSL/IPSec VPN Firewall
14.6 QRTG (Qno Router Traffic Graphic) .......................................................................................... 249
XV. Log out.................................................................................................................................................. 254
Appendix I: User Interface and User Manual Chapter Cross Reference .............................................. 255
Appendix II: Troubleshooting ................................................................................................................... 259
（1） Block BT Download .................................................................................................................... 259
（2） Shock Wave and Worm Virus Prevention .................................................................................. 260
（3） Block QQLive Video Broadcast Setting ...................................................................................... 262
（4） ARP Virus Attack Prevention ...................................................................................................... 264
Appendix III: Qno Technical Support Information .............................................................................. 273
4
SSL/IPSec VPN Firewall
Product Manual Using Permit Agreement
[Product Manual (hereafter the "Manual") Using Permit Agreement] hereafter the "Agreement" is the using
permit of the Manual, and the relevant rights and obligations between the users and Qno Technology Inc
(hereafter "Qno"), and is the exclusion to remit or limit the liability of Qno. The users who obtain the file of this
manual directly or indirectly, and users who use the relevant services, must obey this Agreement.
Important Notice: Qno would like to remind the users to read the clauses of the "Agreement" before
downloading and reading this Manual. Unless you accept the clauses of this "Agreement", please return this
Manual and relevant services. The downloading or reading of this Manual is regarded as accepting this
"Agreement" and the restriction of clauses in this "Agreement".
【1】Statement of Intellectual Property
Any text and corresponding combination, diagram, interface design, printing materials or electronic file are
protected by copyright of our country, clauses of international copyright and other regulations of intellectual
property. When the user copies the "Manual", this statement of intellectual property must also be copied and
indicated. Otherwise, Qno regards it as tort and relevant duty will be prosecuted as well.
【2】Scope of Authority of "Manual"
The user may install, use, display and read this "Manual on the complete set of computer.
【3】User Notice
If users obey the law and this Agreement, they may use this "Manual" in accordance with "Agreement". The
"hardcopy or softcopy" of this Manual is restricted using for information, non-commercial and personal
purpose. Besides, it is not allowed to copy or announce on any network computer. Furthermore, it is not
allowed to disseminate on any media. It is not allowed to modify any part of the "file". Using for other
purposes is prohibited by law and it may cause serious civil and criminal punishment. The transgressor will
receive the accusation possibly.
【4】Legal Liability and Exclusion
【4-1】Qno will check the mistake of the texts and diagrams with all strength. However, Qno, distributors, and
resellers do not bear any liability for direct or indirect economic loss, data loss or other corresponding
commercial loss to the user or relevant personnel due to the possible omission.
【4-2】In order to protect the autonomy of the business development and adjustment of Qno, Qno reserves
5
SSL/IPSec VPN Firewall
the right to adjust or terminate the software / Manual any time without informing the users. There will be no
further notice regarding the product upgrade or change of technical specification. If it is necessary, the
change or termination will be announced in the relevant block of the Qno website.
【4-3】All the set parameters are examples and they are for reference only. You may also purpose your
opinion or suggestion. We will take it as reference and they may be amended in the next version.
【4-4】This Manual explains the configuration of all functions for the products of the same series. The actual
functions of the product may vary with the model. Therefore, some functions may not be found on the product
you purchased.
【4-5】Qno reserves the right to change the file content of this Manual and the Manual content may not be
updated instantly. To know more about the updated information of the product, please visit Qno official
website.
【4-6】Qno (and / or) distributors hereby declares that no liability will be born for any guarantee and condition
of the corresponding information. The guarantee and condition include tacit guarantee and condition about
marketability, suitability for special purposes, ownership, and non-infringement. The name of the companies
and products mentioned may be the trademark of the owners. Qno (and/or) the distributors do not provide the
product or software of any third party company. Under any circumstance, Qno and / or distributors bear no
liability for special, indirect, derivative loss or any type of loss in the lawsuit caused by usage or information
on the file, no matter the lawsuit is related to agreement, omission, or other tort.
【5】Other Clauses
【5-1】The potency of this Agreement is over any other verbal or written record. The invalidation of part or
whole of any clause does not affect the potency of other clauses.
【5-2】The power of interpretation, potency and dispute are applicable for the law of Taiwan. If there is any
dissension or dispute between the users and Qno, it should be attempted to solve by consultation first. If it is
not solved by consultation, user agrees that the dissension or dispute is brought to trial in the jurisdiction of
the court in the location of Qno. In Mainland China, the "China International Economic and Trade Arbitration
Commission" is the arbitration organization.
6
SSL/IPSec VPN Firewall
I. Introduction
New generation SSL/ IPSec VPN Firewall is a high efficiency router owing to the market requirement. It
is designed as economical, high efficiency with all functions integrated for network VPN Router that fulfills the
requirement of enterprise branches, vendors and SOHO for VPN application increase and bandwidth
management. New generation SSL/ IPSec VPN Router focuses on multiple ISP environment and user
bandwidth management requirement to integrate the backbone networking, it can support hardware port
mirror, smart QoS, Multi-WAN load balance, gateway redundancy, and Intelligent Firewall.
SSL/ IPSec VPN Router uses a 64-bit high-level processor and maximum 200 Mbps-two way forwarding
rate that can support several hundred thousand session connections, built-in high- capacity RAM allows the stability
and reliability for long-time operation.
It has 4 10/100 Base-T/TX Ethernets (RJ45) WAN ports. These WAN ports can support auto load
balance mode, exclusive mode (remaining WAN balance), and stategy routing mode for high-efficiency
network. They offer super flexibility for network set-up. Moreover, these WAN ports also support DHCP, fixed
IP, PPPoE, transparent bridge, VPN connection, port binding, static routing, dynamic routing, NAT, one to one
NAT, PAT, MAC Clone, as well as DDNS. As for LAN ports including one DMZ, they support 10/100
Base-T/TX Ethernet (RJ45) and provide the features of Microsoft UPnP, VLAN, Multi Subnet, and transparent
bridge mode. Internet IP addresses can also be used in intranet.
Individual QoS bandwidth management with powerful and easy-to-setup functions allows manager to
arrange the limited network resource rational and efficiently. It is not needed to extend the bandwidth to
unlimited settings which would increase spending cost; it can also avoid the complaint of few people to force
whole bandwidth. Simple user configuration can be the best efficiency application; it allows the optimization of
bandwidth utilization based on the whole utility rate without setting rules step-by-step and only to limit the
users who occupy the bandwidth for resource savings. Moreover, intelligence bandwidth management is
provided, through the simple deployment to complete LAN side bandwidth management for efficiency utility
rate, simple management and improvement performance.
SSL/IPSec VPN Router exclusively provides hardware optimization, which can run broadbandwidth
management, traffic priorities and distributions directly through hardware. Not only can it ensure intranet
important services won’t have disconnection, but also decrease the depletion of CPU and the whole system
resources. Thus, SSL/IPSec VPN Router can endure enormous sessions and PCs, and provide stable
network environment.
Load balancing function supports Auto Load Balance mode, Specify WAN Binding mode and Strategy
7
SSL/IPSec VPN Firewall
Routing mode to allow deployment of flexible network connection required to control traffic flow to guarantee
that whole connections are unobstructed. Strategy Routing mode is simply to configure the network without
the input of IP address. It can automatically detect outbound packets and filter telecom connection to ensure
quick response and packet pass through without obstruction, and it can aggregate the same ISP bandwidth
for load balancing control and increase flexibility of network resource.
Built-in Firewall system can fulfill market requirement in defense of internet attacks for most enterprise.
Initiative packet inspection via the network layer dynamic detection denies or blocks non-standard protocol
connections. It can easily employ complete protection functions to ensure network security, as required for
any kind of hack attacks, worm & Virus and ARP attacks by one-way control. Firewall system has not only
NAT function but also DoS attack.
Complete Functions of Access Rules can allow managers to select the
network service levels to deny or allow accesses, and it can also limit or deny LAN users to use the network
and to avoid the network resource being occupied or threatened due to improper uses.
NAT function can provide the translation between private IP and public IP, which can allow multi-user to
connect the internet with one public IP at the same time. LAN IP supports four Class C connections, and
DHCP server is also supported, as well as an easy configuration of IP-MAC binding function allowing network
structure to be flexible and easy to deployed and managed.
In addition, SSL/ IPSec VPN Router also supports virtual routing function. One-WAN branch can be
upgraded to dual-WAN transmit ion easily, Enterprise with one-WAN can connect to dual-WAN center by easy
configuration and traffic will pass through other WAN lines from the center network. This can also accelerate the
connections among different areas to solve the connection bottleneck problem.
For SSL VPN, client only need a web browser to access to Central servers. Passing the ID, and you get
the portal to the company’s internal resources, such as Internet services, Microsoft terminal services, remote
desktop services, online neighborhood networks, and secure tunnel functions. Meanwhile, different users or
groups can access to different interfaces according to the web administrator’s configurations, which satisfies
external and mobile users' security requirements.
Qno is a supporter of the IPSec Protocol. IPSec VPN provides DES, 3DES, AES-128 encryption, MD5,
SH1 certification, IKE Pre-Share Key, or manual password interchange.
SSL/ IPSec VPN Router also
supports aggressive mode. When a connection is lost, SSL/ IPSec VPN Router will automatically re-connect.
In addition, SSL/ IPSec VPN Router features NetBIOS transparency, and supports IP grouping for
connections between clients and host in the virtual private network.
SSL/ IPSec VPN Router offers the function of a standard PPTP server, which is equipped with
connection setting status. Each WAN port can be set up with multiple DDNS at the same time. It is also
8
SSL/IPSec VPN Firewall
capable of establishing VPN connections with dynamic IP addresses.
SSL/ IPSec VPN Router also has unique QVM VPN- SmartLink IPSec VPN. Just input VPN server IP,
user name, and password, and IPSec VPN will be automatically set up. Through SSL/IPSec VPN Router
exclusive QVM function, users can set up QVM to work as a server, and have it accept other QVM series
products from client ports. QVM offers easy VPN allocation for users; users can do it even without a network
administrator.
SSL/ IPSec VPN Router enables enterprises to benefit from VPN without being troubled with
technical and network management problems. The central control function enables the host to log in remote
client computers at any time. Security and secrecy are guaranteed to meet the IPSec standard, so as to
ensure the continuity of VPN service.
You can log on to our Web site www.Qno.com.tw, and find the latest Qno product information and
technical support.
The device is an FCC Class A product, it may cause radio interference in the living environment. User may
need to take feasible measures in this condition.
9
SSL/IPSec VPN Firewall
II. Multi-WAN Router Installation
In this chapter we are going to introduce hardware installation. Through the understanding of multi- WAN
setting process, users can easily setup and manage the network,making Router functioning and having best
performance.
2.1 Systematic Setting Process
Users can set up and enable the network by utilizing bandwidth efficiently. The network can achieve the
ideal efficientness,block attacks, and prevent security risks at the same time. Through the process settings,
users can install and operate
Router easily. This simplifies the management and maintenance, making the
user network settings be done at one time.
The main process is as below:
1. Hardware installation
2. Login
3. Verify device specification and set up password and time
4. Set WAN connection
5. Set LAN connection: physical port and IP address settings
6. Set QoS bandwidth management: avoid bandwidth occupation
7. Set Firewall: prevent attack and improper access to network resources
8. Other settings: UPnP, DDNS, MAC Clone
9. Management and maintenance settings: Syslog, SNMP, and configuration backup
10. VPN Virtual Private Network, QnoKey, QVM, SSL VPN function setting
11. Logout
2.2 Setting Flow Chart
Below is the description for each setting process, and the crospondent contents and purposes.
detailed functions, please refer to Appendix I: Setting Inferface and Chapter Index.
10
For
SSL/IPSec VPN Firewall
#
1
Setting
Hardware installation
Content
Purpose
Configure the
Install VPN Router hardware based on user
network to meet
physical requirements.
user’s demand.
2
Login
Login the device with
Login VPN Router web- based UI.
Web Browser.
3
Verify device
Verify Firmware
Verify VPN Router specification, Firmware
specification
version and working
version and working status.
status.
Set password and time
Set time and re- new
Modify the login password considering safe
password.
issue.
Synchronize VPN Router time with WAN.
4
Set WAN connection
Verify WAN
Connect to WAN. Configure bandwidth to
connection setting,
optimize data transmission.
bandwidth allocation,
and protocol binding.
5
Set LAN connection:
physical port and IP
address settings
6
Set QoS bandwidth
management: avoid
bandwidth occupation
7
Set Firewall: prevent
attack and improper
access to network
Set mirror port and
Provide mirror port, port management and
VLAN. Allocate and
VLAN setting functions. Support Static/DHCP
manage LAN IP.
IP allocation to meet different needs. IP group
will simplify the management work.
Restrict bandwidth
To assure transmission of important
and session of WAN
information, manage and allocate the
ports, LAN IP and
bandwidth further to achieve best efficiency.
application.
Block attack, Set
Administrators can block BT to avoid bandwidth
Access rule and
occupation, and enable access rules to restrict
restrict Web access.
employee accessing internet improperly or
using MSN, QQ and Skype during working
resources
time. They can also protect network from Worm
or ARP attacking.
11
SSL/IPSec VPN Firewall
8
Advanced Settings:
DMZ/Forwarding,
DMZ/Forwarding, UPnP, Routing Mode,
DMZ/Forwarding,
UPnP, Routing Mode,
multiple WAN IP, DDNS and MAC Clone
UPnP, DDNS, MAC
multiple WAN IP,
Clone
DDNS and MAC
Clone
9
Management and
maintenance settings:
Syslog, SNMP, and
Monitor working
Administrators can look up system log and
status and
monitor system status and inbound/outbound
configuration backup.
flow in real time.
Configure VPN
Configure different types of VPN to meet
tunnels, e.g. PPTP,
different application environment.
configuration backup
10
VPN Virtual Private
Network, QnoKey,
QVM VPN function
setting
11
Logout
QnoKey, QVM and
SSL VPN.
Close configuration
Web- based UI logout.
window.
We will follow the process flow to complete the network setting in the following chapters.
12
SSL/IPSec VPN Firewall
III. Hardware Installation
In this chapter we are going to introduce hardware interface as well as physical installation.
3.1 Router LED Signal
LED Signal Description
LED
Color
Description
Power
Green
Green LED on: Power ON
DIAG
Amber
Amber LED on: System self-test is running.
Amber LED off: System self-test is completed successfully.
Link/Act
Green
Green LED on: Ethernet connection is fine.
Green LED blinking: Packets are transmitting through Ethernet
port.
Amber
Amber LED on: Ethernet is running at 100Mbps.
Amber LED off: Ethernet is running at 10Mbps.
Green
Green LED on: WAN is connected and gets the IP address.
（Green light at the right of
the port）
100M- Speed
（Amber light at th left of the
port）
Connect
Reset
Action
Description
Press Reset Button For 5 Secs
Warm Start
DIAG indicator: Amber LED flashing slowly.
Press Reset Button Over 10 Secs
Factory Default
DIAG indicator: Amber LED flashing quickly.
System Built-in Battery
A system timing battery is built into
life is over or it can not be charged,
Router. The lifespan of the battery is about 1~2 years. If the battery
Router will not be able to record time correctly, nor synchronize with
internet NTP time server. Please contact your system supplier for information on how to replace the battery.
Attention!
Do not replace the battery yourself; otherwise irreparable damage to the product may be caused.
13
SSL/IPSec VPN Firewall
Installing Router on a Standard 19” Rack
We suggest to either place Router on a desk or install it in a rack with attached brackets. Do not place
other heavy objects together with Router on a rack. Overloading may cause the rack to fail, thus causing
damage or danger.
Each
Router comes with a set of rack installation accessories, including 2 L- shaped brackets and 8
screws. Users can rack- mount the device onto the chassis. Please refer to the figure below for the installation
onto a 19‖ rack:
Attention!
In order for the device to run smoothly, wherever users install it, be sure not to obstruct the vent on
each side of the device. Keep at least 10cm space in front of both the vents for air convection.
14
SSL/IPSec VPN Firewall
3.2 Router Network Connection
WAN connection：A WAN port can be connected with xDSL Modem, Fiber Modem, Switching Hub, or
through an external router to connect to the Internet.
LAN Connection: The LAN port can be connected to a Switching Hub or directly to a PC. Users can
use servers for monitoring or filtering through the port after ―Physical Port Mangement‖ configuration is
done.
DMZ : The DMZ port can be connected to servers that have legal IP addresses, such as Web servers,
mail servers, etc.
15
SSL/IPSec VPN Firewall
IV. Login Router
This chapter is mainly introducing Web- based UI after connecting Router.
First, check up Router IP address by connecting to DOS through the LAN PC under Router. Go to Start
→ Run, enter cmd to commend DOS, and enter ipconfig for getting Default Gateway address, as the graphic
below, 192.168.1.1. Make sure Default Gateway is also the default IP address of Router.
Attention!
When not getting IP address and default gateway by using ―ipconfig‖, or the received IP address is
0.0.0.0 and 169.X.X.X, we recommend that users should check if there is any problem with the circuits
or the computer network card is connected nicely.
16
SSL/IPSec VPN Firewall
Then, open webpage browser, IE for example, and key in 192.168.1.1 in the website column. The login
window will appear as below:
Router default username and password are both ―admin‖.
Users can change the login password in the
setting later.
Attention!
For security, we strongly suggest that users must change password after login.
Please keep the
password safe, or you can not login to Router. Press Reset button for more than 10 sec, all the setting
will return to default.
After login, Router web- based UI will be shown. Select the language on the upper right corner of the
webpage. The language chosen will be in blue. Please select ―English’ as below.
17
SSL/IPSec VPN Firewall
V. Device Spec Verification, Status Display and Login
Password and Time Setting
This chapter introduces the device specification and status after login as well as change password and
system time settings for security.
5.1 Home Page
In the Home page, all
Router parameters and status are listed for users’ reference.
5.1.1 WAN Status
IP Address
Indicates the current IP configuration for WAN port.
Default Gateway
Indicates current WAN gateway IP address from ISP.
DNS Server
Indicates the current DNS IP configuration.
Session
Indicates the current session number for each WAN in
Downstream Bandwidth
Indicates the current downstream bandwidth usage(%) for each
18
Router.
SSL/IPSec VPN Firewall
Usage(%)
WAN.
Upstream Bandwidth Usage(%)
Indicates the current upstream bandwidth usage(%)
DDNS
Quality of Service
Manual Connect
for each WAN.
Indicates if Dynamic Domain Name is activated. The default
configuration is ―Off‖.
Indicates how many QoS rules are set.
When ―Obtain an IP automatically‖ is selected, two buttons
(Release and Renew) will appear. If a WAN connection, such as
PPPoE or PPTP, is selected, ―Disconnect‖ and ―Connect‖ will
appear.
DMZ IP Address (WAN4/DMZ)
Indicates the current DMZ IP address.
5.1.2 Physical Port Status
The status of all system ports, including each connected and enabled port, will be shown on this Home
page (see above table). Click the respective status button and a separate window will appeare to show
detailed data (including setting status summary and statisitcs) of the selected port.
19
SSL/IPSec VPN Firewall
The current port setting status information will be shown in the Port Information Table. Examples: type
(10Base-T/100Base-TX/)，iniferface (WAN1- 4／LAN1- 4/DMZ)，link status (Up/ Down)，physical port status
(Port Enabled/ Port Disabled)，priority (high or normal)，speed status (10Mbps/100Mbps)，duplex status (Half/
Full)，auto negotiation (Enabled or Disabled). The tabble also shows statistics of Receive/ Transmit Packets,
Receive/Transmit Packets Byte Count as well as Error Packets Count.
20
SSL/IPSec VPN Firewall
5.1.3 System Information
Device IP Address: Identifies the current device IP address. The default is 192.168.1.1.
Working Mode: Indicates the current working mode. Can be NAT Gateway or Router mode. The default
is ―NAT Gateway‖ mode.
System active time: Indicates how long the
Serial Number: This number is the
Router has been running.
Router serial number.
Firmware Version: Information about the
Router present software version.
Current Time: Indicates the device present time.
Please note: To have the correct time, users must
synchronize the device with the remote NTP server first.
CPU Usage: Indicates the current router CPU usage percentage.
Memory Usage: Indicates the current router memory usage percentage.
Total Session: Indicates the current router session connection quantity.
21
SSL/IPSec VPN Firewall
5.1.4 Firewall Status
SPI (Stateful Packet Inspection)： Indicates whether SPI (Stateful Packet Inspection) is on or off. The
default configuration is ―On‖.
DoS (Denial of Service)：Indicates if DoS attack prevention is activated. The default configuration is
―On‖.
Block WAN Request：Indicates that denying the connection from Internet is activated. The default
configuration is ―On‖.
Prevent ARP Virus Attack：Indicates that preventing Arp virus attack is acitvated.
The default
configuration is ―Off‖.
Remote Management: Indicates if remote management is activated (on or off). Click the hyperlink to
enter and manage the configuration. The default configuration is ―Off‖.
Access Rule：Indicates the number of access rule applied.
5.1.5 Log Setting Status
22
SSL/IPSec VPN Firewall
External Syslog
Indicates the sever setting to receive the syslog.
Server
Send Log by E-mail
(future feature)
Indicates the E-mail setting. Syslog will be sent to the specific E-mail.
E-Mail link will be connected to syslog setting page:
1.
If you do not have the email address set in system log, it will show “E-mail cannot be sent
because you have not specified an outbound SMTP server address.”—— represents that
you do not have email setting and it can not send out syslog emails.
2.
If you have the email address set in system log, but the log does not meet the sending log
conditions, it will show “E-mail settings have been configured.”—— represents that you
already have the email setting, but the log does not meet the sending log conditions yet.
3.
If you have the email address set in system log, and log is sent out, it will show “E-mail settings
have been configured and sent out normally.” —— represents that you already have the email
setting, and the log is set out to the email address.
4.
If you have the email address set in the system log, but the log can not be sent out correctly, it will
show “E-mail cannot be sent out, probably use incorrect settings.” —— represents that there
is email address setting, but the log can not be sent out, which might be due to the incorrect
setting.
23
SSL/IPSec VPN Firewall
5.2 Change and Set Login Password and Time
5.2.1 Password Setting
When you login Router setting window every time, you must enter the password. The default value for
Router username and password are both ―admin‖. For security reasons, we strongly recommend that you
must change your password after first login.
Please keep the password safe, or you might not login to
Router. You can press Reset button for more than 10 sec, Router will return back to default.
User Name
The default is ―admin‖.
Old Password
Input the original password.（The default is ―admin‖.）
New User Name
Input the new user name. i.e.Qno
New User Password
Input the new password.
Confirm New Password
Input the new password again for verification.
Apply
Click “Apply” to save the configuration.
Cancel
Click “Cancel" to leave without making any change. This action will be
effective before ‖Apply‖ to save the configuration.
24
SSL/IPSec VPN Firewall
5.2.2 Time
GIGAGIT Router can adjust time setting. Users can know the exact time of event occurrences that are
recorded in the Syslog, and the time of turning on or off access for Internet resources. You can either select
the embedded NTP Server synchronization function or set up a time reference.
Synchronize with external NTP server:
Router has embedded NTP server, which will update the time
spontaneously.
Time Zone
Select your location from the pull-down time zone list to show correct local time.
Daylight Saving
If there is Daylight Saving Time in your area, input the date range. The device
will adjust the time for the Daylight Saving period automatically.
NTP Server
If you have your own preferred time server, input the server IP address.
Apply
After the changes are completed, click “Apply” to save the configuration.
Cancel
Click “Cancel" to leave without making any change. This action will be effective
before ‖Apply‖ to save the configuration.
25
SSL/IPSec VPN Firewall
Select the Local Time Manually: Input the correct time, date, and year in the boxes.
After the changes are completed, click “Apply” to save the configuration. Click “Cancel" to leave
without making any change. This action will be effective before ‖Apply‖ to save the configuration.
26
SSL/IPSec VPN Firewall
VI. Network Configuration
This Network page contains the basic settings. For most users, completing this general setting is enough
for connecting with the Internet. However, some users need advanced information from their ISP. Please refer
to the following descriptions for specific configurations.
6.1 Network Connection
27
SSL/IPSec VPN Firewall
6.1.1 Host Name and Domain Name
Device name and domain name can be input in the two boxes. Though this configuration is not necessary
in most environments, some ISPs in some countries may require it.
6.1.2 LAN Setting
This is configuration information for the
Router current LAN IP address. The default configuration is
192.168.1.1 and the default Subnet Mask is 255.255.255.0. It can be changed according to the actual network
structure.
Multiple-Subnet Setting：
Click ―Unified IP Management‖ to enter the configuration page, as shown in the following figure. Input the
respective IP addresses and subnet masks.
28
SSL/IPSec VPN Firewall
This function enables users to input IP segments that differ from the router network segment to the
multi-net segment configuration; the Internet will then be directly accessible. In other words, if there are
already different IP segment groups in the Intranet, the Internet is still accessible without making any changes
to internal PCs. Users can make changes according to their actual network structure.
6.1.3 WAN & DMZ Settings
WAN Setting:
29
SSL/IPSec VPN Firewall
Interface: An indication of which port is connected.
Connection Type: Obtain an IP automatically, Static IP connection, PPPoE (Point-to-Point Protocol over
Ethernet), PPTP (Point-to-Point Tunneling Protocol) or Transparent Bridge.
Config.: A modification in an advanced configuration: Click Edit to enter the advanced configuration
page.
Obtain an Automatic IP automatically:
This mode is often used in the connection mode to obtain an automatic DHCP IP. This is the
device system default connection mode. It is a connection mode in which DHCP clients obtain an IP address
automatically. If having a different connection mode, please refer to the following introduction for selection of
appropriate configurations. Users can also set up their own DNS IP address. Check the options and input the
user-defined DNS IP addresses.
30
SSL/IPSec VPN Firewall
Use the following DNS Server
Select a user-defined DNS server IP address.
Addresses
DNS Server
Input the DNS IP address set by ISP. At least one IP group should be
input. The maximum acceptable groups is two IP groups.
Enable Line-Dropped
The WAN disconnection schedule will be activated by checking this
Scheduling
option. In some areas, there is a time limitation for WAN connection
service. For example: the optical fiber service will be disconnected from
0:00 am to 6:00 am. Although there is a standby system in the device, at
the moment of WAN disconnection, all the external connections that go
through this WAN will be disconnected too. Only after the disconnected
lines are reconnected can they go through the standby system to
connect with the Internet. Therefore, to avoid a huge number of
disconnection, users can activate this function to arrange new
connections to be made through another WAN to the Internet. In this
way, the effect of any disconnection can be minimized.
Line-Dropped Period
Input the time rule for disconnection of this WAN service.
31
SSL/IPSec VPN Firewall
Line-Dropped Scheduling
Input how long the WAN service may be disconnected before the newly
added connections should go through another WAN to connect with the
Internet.
Backup Interface
Select another WAN port as link backup when port binding is configured.
Users should select the port that employs the same ISP.
After the changes are completed, click “Apply” to save the configuration, or click “Cancel" to leave
without making any changes.
Static IP:
If an ISP issues a static IP (such as one IP or eight IP addresses, etc.), please select this connection
mode and follow the steps below to input the IP numbers issued by an ISP into the relevant boxes.
WAN IP address
Input the available static IP address issued by ISP.
Subnet Mask
Input the subnet mask of the static IP address issued by ISP, such as:
32
SSL/IPSec VPN Firewall
Issued eight static IP addresses: 255.255.255.248
Issued 16 static IP addresses: 255.255.255.240
Default Gateway
Input the default gateway issued by ISP. For ADSL users, it is usually an
ATU-R IP address. As for optical fiber users, please input the optical fiber
switching IP.
DNS Server
Input the DNS IP address issued by ISP. At least one IP group should be input.
The maximum acceptable is two IP groups.
Enable
The WAN disconnection schedule will be activated by checking this
Line-Dropped
option. In some areas, there is a time limitation for WAN connection
Scheduling
service. For example: the optical fiber service will be disconnected from
0:00 am to 6:00 am. Although there is a standby system in the device, at
the moment of WAN disconnection, all the external connections that go
through this WAN will be disconnected too. Only after the disconnected
lines are reconnected can they go through the standby system to connect
with the Internet. Therefore, to avoid a huge number of disconnection,
users can activate this function to arrange new connections to be made
through another WAN to the Internet. In this way, the effect of any
disconnection can be minimized.
Line-Dropped
Input the time rule for disconnection of this WAN service.
Period
Line-Dropped
Input how long the WAN service may be disconnected before the newly added
Scheduling
connections should go through another WAN to connect with the Internet.
Backup Interface
Select another WAN port as link backup when port binding is configured. Users
should select the port that employs the same ISP.
After the changes are completed, click “Apply” to save the configuration, or click “Cancel" to leave
without making any changes.
PPPoE:
This option is for an ADSL virtual dial-up connection (suitable for ADSL PPPoE). Input the user
33
SSL/IPSec VPN Firewall
connection name and password issued by ISP. Then use the PPP Over-Ethernet software built into the device
to connect with the Internet. If the PC has been installed with the PPPoE dialing software provided by ISP,
remove it. This software will no longer be used for network connection.
User Name
Input the user name issued by ISP.
Password
Input the password issued by ISP.
Connect on Demand
This function enables the auto-dialing function to be used in a PPPoE
dial connection. When the client port attempts to connect with the
Internet, the device will automatically make a dial connection. If the line
has been idle for a period of time, the system will break the connection
automatically. (The default time for automatic break-off resulting from no
packet transmissions is five minutes).
Keep Alive
This function enables the PPPoE dial connection to keep connected, and
to automatically redial if the line is disconnected. It also enables a user to
34
SSL/IPSec VPN Firewall
set up a time for redialing. The default is 30 seconds.
Enable Line-Dropped
The WAN disconnection schedule will be activated by checking this
Scheduling
option. In some areas, there is a time limitation for WAN connection
service. For example: the optical fiber service will be disconnected from
0:00 am to 6:00 am. Although there is a standby system in the device, at
the moment of WAN disconnection, all the external connections that go
through this WAN will be disconnected too. Only after the disconnected
lines are reconnected can they go through the standby system to connect
with the Internet. Therefore, to avoid a huge number of disconnection,
users can activate this function to arrange new connections to be made
through another WAN to the Internet. In this way, the effect of any
disconnection can be minimized.
Line-Dropped Period
Input the time rule for disconnection of this WAN service.
Line-Dropped
Input how long the WAN service may be disconnected before the newly
Scheduling
added connections should go through another WAN to connect with the
Internet.
Backup Interface
Select another WAN port as link backup when port binding is configured.
Users should select the port that employs the same ISP.
After the changes are completed, click “Apply” to save the configuration, or click “Cancel" to leave
without making any change.
PPTP:
This option is for the PPTP time counting system. Input the user’s connection name and password issued
by ISP, and use the built-in PPTP software to connect with the Internet.
35
SSL/IPSec VPN Firewall
WAN IP Address
This option is to configure a static IP address. The IP address to be
configured could be one issued by ISP. (The IP address is usually
provided by the ISP when the PC is installed. Contact ISP for relevant
information).
Subnet Mask
Input the subnet mask of the static IP address issued by ISP, such as:
Issued eight static IP addresses: 255.255.255.248
Issued 16 static IP addresses: 255.255.255.240
Default Gateway
Input the default gateway of the static IP address issued by ISP. For ADSL
Address
users, it is usually an ATU-R IP address.
User Name
Input the user name issued by ISP.
36
SSL/IPSec VPN Firewall
Password
Input the password issued by ISP.
Connect on Demand
This function enables the auto-dialing function to be used for a PPTP dial
connection. When the client port attempts to connect with the Internet, the
device will automatically connect with the default ISP auto dial connection;
when the network has been idle for a period of time, the system will break
the connection automatically. (The default time for automatic break off
when no packets have been transmitted is five minutes).
Keep Alive
This function enables the PPTP dial connection to redial automatically
when the connection has been disconnected. Users can set up the
redialing time. The default is 30 seconds.
Enable
The WAN disconnection schedule will be activated by checking this option.
Line-Dropped
In some areas, there is a time limitation for WAN connection service. For
Scheduling
example: the optical fiber service will be disconnected from 0:00 am to
6:00 am. Although there is a standby system in the device, at the moment
of WAN disconnection, all the external connections that go through this
WAN will be disconnected too. Only after the disconnected lines are
reconnected can they go through the standby system to connect with the
Internet. Therefore, to avoid a huge number of disconnection, users can
activate this function to arrange new connections to be made through
another WAN to the Internet. In this way, the effect of any disconnection
can be minimized.
Line-Dropped Period
Input the time rule for disconnection of this WAN service.
Line-Dropped
Input how long the WAN service may be disconnected before the newly
Scheduling
added connections should go through another WAN to connect with the
Internet.
Backup Interface
Select another WAN port as link backup when port binding is configured.
Users should select the port that employs the same ISP.
After the changes are completed, click “Apply” to save the configuration, or click “Cancel" to leave
without making any changes.
37
SSL/IPSec VPN Firewall
Transparent Bridge:
If all Intranet IP addresses are applied as Internet IP addresses, and users don’t want to substitute private
network IP addresses for all Intranet IP addresses (ex. 192.168.1.X), this function will enable users to
integrate existing networks without changing the original structure. Select the Transparent Bridge mode for
the WAN connection mode. In this way, users will be able to connect normally with the Internet while keeping
the original Internet IP addresses in Intranet IP configuration.
If there are two WANs configured, users still can select Transparent Bridge mode for WAN connection
mode, and load balancing will be achieved as usual.
WAN IP Address
Input one of the static IP addresses issued by ISP.
38
SSL/IPSec VPN Firewall
Subnet Mask
Input the subnet mask of the static IP address issued by ISP, such
as:
Issued eight static IP addresses: 255.255.255.248
Issued 16
static IP addresses: 255.255.255.240
Default Gateway Address
Input the default gateway of the static IP address issued by ISP. For
ADSL users, it is usually an ATU-R IP address.
DNS Server
Input the DNS IP address set by ISP. At least one IP group should be
input. The maximum acceptable is two IP groups.
Internal LAN IP Range
Input the available IP range issued by ISP. If ISP issued two
discontinuous IP address ranges, users can input them into Internal
LAN IP Range 1 and Internal LAN IP Range 2 respectively.
Enable Line-Dropped
The WAN disconnection schedule will be activated by checking this
Scheduling
option. In some areas, there is a time limitation for WAN connection
service. For example: the optical fiber service will be disconnected
from 0:00 am to 6:00 am. Although there is a standby system in the
device, at the moment of WAN disconnection, all the external
connections that go through this WAN will be disconnected too. Only
after the disconnected lines are reconnected can they go through the
standby system to connect with the Internet. Therefore, to avoid a
huge number of disconnection, users can activate this function to
arrange new connections to be made through another WAN to the
Internet. In this way, the effect of any disconnection can be
minimized.
Line-Dropped Period
Input the time rule for disconnection of this WAN service.
Line-Dropped Scheduling
Input how long the WAN service may be disconnected before the
newly added connections should go through another WAN to connect
with the Internet.
Backup Interface
Select another WAN port as link backup when port binding is
configured. Users should select the port that employs the same ISP.
After the changes are completed, click “Apply” to save the configuration, or click “Cancel" to leave
39
SSL/IPSec VPN Firewall
without making any changes.
Router Plus NAT Mode:
When you apply a public IP address as your default gateway, you can setup this public IP address into a
LAN PC, and this PC can use this public IP address to reach the Internet. Others PCs can use NAT mode to
reach the Internet.
If this WAN network is enabled the Router plus NAT mode, you can still use load balancing function in this
WAN network.
40
SSL/IPSec VPN Firewall
WAN IP address
Enter the public IP address.
Subnet mask
Enter the public IP address subnet mask.
WAN Default Gateway
Enter the WAN default gateway, which provided by your ISP.
DNS Servers
Enter the DNS server IP address, you must have to enter a DNS server
IP address, maximum two DNS servers IP addresses available..
LAN Default Gateway
Enter one of IP addresses that provide by the ISP as your default
gateway.
LAN IP Addresses Range
Enter your IP addresses range, which IP addresses are provided by
ISP. If you have multiple IP ranges, you need setup group1 and group
2.
You can also setup the default gateway and IP range in the group 2.
Enable Line-Dropped
The WAN disconnection schedule will be activated by checking this
Scheduling
option. In some areas, there is a time limitation for WAN connection
service. For example: the optical fiber service will be disconnected
from 0:00 am to 6:00 am. Although there is a standby system in the
device, at the moment of WAN disconnection, all the external
connections that go through this WAN will be disconnected too. Only
after the disconnected lines are reconnected can they go through the
standby system to connect with the Internet. Therefore, to avoid a
huge number of disconnection, users can activate this function to
arrange new connections to be made through another WAN to the
Internet. In this way, the effect of any disconnection can be
minimized.
Line-Dropped Period
Input the time rule for disconnection of this WAN service.
Line-Dropped Scheduling
Input how long the WAN service may be disconnected before the
newly added connections should go through another WAN to connect
with the Internet.
Backup Interface
Select another WAN port as link backup when port binding is
configured. Users should select the port that employs the same ISP.
41
SSL/IPSec VPN Firewall
Click “Apply” to save the configuration, or click “Cancel" to leave without making any changes.
DMZ Setting:
For some network environments, an independent DMZ port may be required to set up externally
connected servers such as WEB and Mail servers. Therefore, the device supports a set of independent DMZ
ports for users to set up connections for servers with real IP addresses. The DMZ ports act as bridges
between the Internet and LANs.
For some Qno models, the WAN4 and DMZ port can be configurable each other. You can depend on the
real environment to choose which the port is WAN4 or DMZ.
IP address: Indicates the current default static IP address.
Config.: Indicates an advanced configuration modification: Click Edit to enter the advanced configuration
page.
The DMZ configuration can be classified by Subnet, Range and DMZ IP ranges are the same with WAN IP
ranges in Router Plus NAT mode：
Subnet:
The DMZ and WAN located in different Subnets
For example: If the ISP issued 16 real IP addresses: 220.243.230.1-16 with Mask 255.255.255.240,
users have to separate the 16 IP addresses into two groups: 220.243.230.1-8 with Mask 255.255.255.248,
and 220.243.230.9-16 with Mask 255.255.255.248 and then set the device and the gateway in the same
group with the other group in the DMZ.
42
SSL/IPSec VPN Firewall
Specify DMZ IP Address
Enter the DMZ Port IP Address
Subnet Mask
Enter the DMZ Port Subnet Mask
Range:
DMZ and WAN are within same Subnet
Interface
Select a WAN Port witch is the same subnet with DMZ
IP Range for DMZ port
Input the IP range located at the DMZ port.
DMZ IP ranges are the same with WAN IP ranges in Router Plus NAT mode:
43
SSL/IPSec VPN Firewall
LAN Default Gateway
Enter the LAN Default Gateway that you configured at Router Plus
NAT Mode
LAN IP Range
Enter the usable static IP range that provide by ISP into the DMZ
service IP range.
If you have other IP range, you can setup the default gateway and IP
range into group 2.
After the changes are completed, click “Apply” to save the configuration, or click “Cancel" to leave
without making any changes.
44
SSL/IPSec VPN Firewall
6.2 Multi- WAN Setting
When you have multiple WAN gateways, you can use Traffic Management and Protocol Binding function
to fulfill WAN road balancing, so that we can have highest network bandwidth efficiency.
45
SSL/IPSec VPN Firewall
6.2.1 Load Balance Mode
Auto Load Balance Mode:
When Auto Load Balance mode is selected, the device will use sessions or IP and the WAN bandwidth
automatically allocate connections to achieve load balancing for external connections. The network
bandwidth is set by what users input for it. For example, if the upload bandwidth of both WANs is 512Kbit/sec,
the automatic load ratio will be 1:1; if one of the upload bandwidths is 1024Kbit/sec while the other is
512Kbit/sec, the automatic load ratio will be 2:1. Therefore, to ensure that the device can balance the actual
network load, please input real upload and download bandwidths.
Session Balance: If ―By Session‖ is selected, the WAN bandwidth will automatically allocate
connections based on session number to achieve network load balance.
IP Session Balance: If ―By IP‖ is selected, the WAN bandwidth will automatically allocate connections
based on IP amount to achieve network load balance.
Note!
For either session balancing or IP connection balancing, collocation with Protocol Binding will
provide a more flexible application for bandwidth. Users can assign a specific Intranet IP to go
through a specific service provider for connection, or assign an IP for a specific destination to go
through the WAN users assign to connect with the Internet.
For example, if users want to assign IP 192.168.1.100 to go through WAN 1 when connecting
with the Internet, or assign all Intranet IP to go through WAN 2 when connecting with servers with
port 80, or assign all Intranet IP to go through WAN 1 when connecting with IP 211.1.1.1, users
46
SSL/IPSec VPN Firewall
can do that by configuring ―Protocol Binding‖.
Attention! When the Auto Load Balance mode is collocated with Protocol Binding, only IP
addresses or servers that are configured in the connection rule will follow the rule for external
connections; those which are not configured in the rule will still follow the device Auto Load Balance
system.
Please refer to the explanations in 6.2.3 Configuring Protocol Binding for setting up Protocol
Binding and for examples of collocating router modes with Protocol Binding.
Un-binding WAN Balance Mode:
This mode enables users to assign specific intranet IP addresses, destination application service ports or
destination IP addresses to go through an assigned WAN for external connection. After being assigned, the
specific WAN will only support those assigned Intranet IP addresses, specific destination application service
ports, or specific destination IP addresses. Intranet IP, specific destination application service ports and
specific destination IP that is not configured under the rules will go through other WANs for external
connection. For unassigned WANs, users can select Load Balance mode and select session or IP for load
balancing.
If you don’t specified IP address、TCP/UDP port or destination IP addresses in WAN ports, you can still
use ―Session Balance‖ and ―IP Balance‖ mechanisms to fulfill load balancing. Detail of these two mechanisms
are as following.
Session Balance: If ―By Session‖ is selected, the WAN bandwidth will automatically allocate connections
based on session number to achieve network load balance.
IP Balance: If ―By IP‖ is selected, the WAN bandwidth will automatically allocate connections based on
the number of IP addresses to achieve network load balance.
Note!
Only when a device assignment is collocated with Protocol Binding can the balancing function
be brought into full play. For example, an assignment requiring all Intranet IP addresses to go
through WAN 1 when connecting with service port 80, or go through WAN 1 when connecting with
IP 211.1.1.1, must be set up in the Protocol Binding Configuration.
Attention: When assigning mode is selected, as in the above example, the IP(s) or service
provider(s) configured in the connection rule will follow the rule for external connections, but those
which are not configured in the rule will still follow the device Load Balance system to go through
47
SSL/IPSec VPN Firewall
other WAN ports to connect with the Internet.
Please refer to the explanations in 6.2.3 Configuring Protocol Binding for setting up Protocol
Binding and for examples of collocating router mode with Protocol Binding.
Strategy Routing Mode:
If strategy Routing is selected, the device will automatically allocate external connections based on
routing policy (Division of traffic between Telecom and Netcom is to be used in China) embedded in the device.
All you have to do is to select the WAN (or WAN group) which is connected with Netcom; the device will then
automatically dispatch the traffic for Netcom through that WAN to connect with the Internet and dispatch traffic
for Telecom to go through the WAN connected with Telecom to the Internet accordingly. In this way, the traffic
for Netcom and Telecom can be divided.
Set WAN Grouping:
If more than one WAN is connected with Netcom, to apply a similar division of traffic policy to these
WANs, a combination for the WANs must be made. Click ―Set WAN Grouping‖; an interactive window as
shown in the figure below will be displayed.
Name
To define a name for the WAN grouping in the box, such as ―Education‖
etc. The name is for recognizing different WAN groups.
48
SSL/IPSec VPN Firewall
Interface
Check the boxes for the WANs to be added into this combination.
Add To List
To add a WAN group to the grouping list.
Delete selected
To remove selected WANs from the WAN grouping.
Apply
Click ―Apply‖ to save the modification.
Cancel
Click ―Cancel‖ to cancel the modification. This only works before
―Apply‖ is clicked.
After the configuration is completed, in the China Netcom Policy window users can select WANs in
combination to connect with Netcom.
Import Strategy:
A division of traffic policy can be defined by users too. In the ―Import IP Range‖ window, select the WAN
or WAN group (ex. WAN 1) to be assigned and click the ―Import IP Range‖ button; the dialogue box for
document importation will be displayed accordingly. A policy document is an editable text document. It may
contain a destination IP users designated. After the path for document importation has been selected, click
―Import‖, and then at the bottom of the configuration window click ―Apply‖. The device will then dispatch the
traffic to the assigned destination IP through the WAN (ex. WAN 1) or WAN grouping users designated to the
Internet.
To build a policy document users can use a text-based editor, such as Notepad, which is included with
49
SSL/IPSec VPN Firewall
Windows system. Follow the text format in the figure below to key in the destination IP addresses users want
to assign. For example, if the destination IP address range users want to designate is 140.115.1.1 ~
140.115.1.255, key in 140.115.1.1 ~ 140.115.1.255 in Notepad. The next destination IP address range should
be keyed in the next line. Attention! Even if only one destination IP address is to be assigned, it should follow
the same format. For example, if the destination IP address is 210.66.161.54, it should be keyed in as
210.66.161.54~210.66.161.54. After the document has been saved (the extension file name is .txt), users can
import the IP range of self-defined strategy.
Note!
China Netcom strategy and self-defined strategy can coexist. However, if a destination IP is
assigned by both China Netcom strategy and self-defined strategy, China Netcom strategy will take
priority. In other words, traffic to that destination IP will be transmitted through the WAN (or WAN group)
under China Netcom strategy.
Session Balance Advanced Function
In general, session balance is to equally and randomly distribute the session connections of each
intranet IP. For some special connections, for example, web banking encrypted connection (Https or
TCP443), is required to connect from the same WAN IP. If one intranet IP visits web banking website and
the connection is distributed into different WAN IP addresses, there will be disconnection or failure.
Session balance advanced function targets at solving this issue.
Session balance advanced function can set the same intranet IP keeps having sessions from the same
WAN IP for some specific service protocols. Other service protocols can still adopt the original balance
mechanism to distribute the sessions equally and randomly. With the original session balance efficiency,
advanced function can ensure the connection running without error for some special service protocols.
50
SSL/IPSec VPN Firewall
Click ―Advanced Function‖ to enter the setting window:
Destination Auto Binding
Indicates that the session will be connected with the same WAN IP
when the destination IP is in the same Class B range.
For example, there are WAN1-1 200.10.10.1 and WAN2- 200.10.10.2, and two intranet IP addresses. When
192.168.1.100 visits Internet 61.222.81.100 for the first time, the connection is through WAN1- 200.10.10.1.
If the next destination is to 61.222.81.101 (in the same Class B range), the connection will also be through
WAN1- 200.10.10.1. If the destination is to other IP not in the same Class B range as 61.222.81.100, the
session will be distributed in the original session balance mechanism.
51
SSL/IPSec VPN Firewall
When the other intranet IP 192.168.1.101 visits 61.222.81.101 for the first time, the connection is through
WAN2- 200.10.10.2. If the next destination is to 61.222.81.100 (in the same Class B range), the connection
will also be through WAN2 200.10.10.2. If the destination is to other IP not in the same Class B range as
61.222.81.100), the session will be distributed in the original session balance mechanism.
Note!
Not all intranet IP will visit the same Class B range with the same WAN IP.
first connection goes to.
It depends on which WAN the
If the destination IP is in the same Class B range, the connection will go through
with the same WAN IP based on the first time learning.
User Define Dis. Or Port Auto
Indicates that the intranet IP will connect through the same WAN IP
Binding
when the service ports are self- defined.
You can self- define the service ports and destination IP. (If the
destination IP is set as 0.0.0.0 to 0, this represents that the destination
is to any IP range.)
Note!
You can only choose either Destination Auto Binding or User Define
Dis. Or Port Auto Binding.
Take default rules for example:
52
SSL/IPSec VPN Firewall
When any intranet IP connects with TCP443 port or any destination (0.0.0.0 to 0 represents any destination),
it will go through the same WAN IP. As for which WAN will be selected, this follows the first- chosen WAN IP
distributed by the original session balance mechanism. For example, there are two intranet IP- 192.168.100.1
and 192.168.100.2. When these intranet IPs first connects with TCP443 port, 192.168.100.1 will go through
WAN1, and 192.168,100.2 will go through WAN2.
Afterwards, 192.168.100.1 will go through WAN1 when
there are TCP443 port connections. 192.168.100.2 will go through WAN2 when there are TCP443 port
connections.
This rule is by default.
You can delete or add rules to meet your connection requirement.
6.2.2 Network Detection Service
This is a detection system for network external services. If this option is selected, information such ―Retry‖
53
SSL/IPSec VPN Firewall
or ―Retry Timeout‖ will be displayed. If two WANs are used for external connection, be sure to activate the
NSD system, so as to avoid any unwanted break caused by the device misjudgment of the overload traffic for
the WAN.
Interface
Select the WAN Port that enables Network Service Detection.
Retry count
This selects the retry times for network service detection. The default is
five times. If there is no feedback from the Internet in the configured
―Retry Times", it will be judged as ―External Connection Disconnected‖.
Retry Timeout
Delay time for external connection detection latency. The default is 30
seconds. After the retry timeout, external service detection will restart.
When Fail
(1) Generate the Error Condition in the System Log: If an ISP
connection failure is detected, an error message will be recorded in
the System Log. This line will not be removed; therefore, the some of
the users on this line will not have normal connections.
This option is suitable under the condition that one of the WAN
connections has failed; the traffic going through this WAN to the
54
SSL/IPSec VPN Firewall
destination IP cannot shift to another WAN to reach the destination. For
example, if users want the traffic to 10.0.0.1 ~ 10.254.254.254 to go only
through WAN1, while WAN2 is not to support these destinations, users
should select this option. When the WAN1 connection is disconnected,
packets for 10.0.0.1~10.254.254.254 cannot be transmitted through WAN
2, and there is no need to remove the connection when WAN 1 is
disconnected.
(2) Keep System Log and Remove the Connection: If an ISP
connection failure is detected, no error message will be recorded in
the System Log. The packet transmitted through this WAN will be
shifted to the other WAN automatically, and be shifted back again
when the connection for the original WAN is repaired and
reconnected.
This option is suitable when one of the WAN connections fails and the
traffic going through this WAN to the destination IP should go through the
other WAN to reach the destination. In this way, when any of the WAN
connections is broken, other WANs can serve as a backup; traffic can be
shifted to a WAN that is still connected.
Detecting Feedback Servers:
Default Gateway
The local default communication gateway location, such as the IP address
of an ADSL router, will be input automatically by the device. Therefore,
users just need to check the option if this function is needed. Attention!
Some gateways of an ADSL network will not affect packet detection. If
users have an optical fiber box, or the IP issued by ISP is a public IP and
the gateway is located at the port of the net café rather than at the IP
provider’s port, do not activate this option.
ISP Host
This is the detected location for the ISP port, such as the DNS IP address
of ISP. When configuring an IP address for this function, make sure this IP
is capable of receiving feedback stably and speedily. (Please input the
DNS IP of the ISP port)
Remote Host
This is the detected location for the remote Network Segment. This
Remote Host IP should better be capable of receiving feedback stably
55
SSL/IPSec VPN Firewall
and speedily. (Please input the DNS IP of the ISP port).
DNS Lookup Host
This is the detect location for DNS. (Only a web address such as
www.hinet.net is acceptable here. Do not input an IP address.) In addition,
do not input the same web address in this box for two different WANs.
Note!
In the load balance mode for Assigned Routing, the first WAN port (WAN1) will be saved for the
traffic of the IP addresses or the application service ports that are not assigned to other WANs (WAN2,
WAN3, and WAN4). Therefore, in this mode, we recommend assigning one of the connections to the
first WAN. When other WANs (WAN2, WAN3, or WAN4) are broken and connection error remove
(Remove the Connection) has been selected for the connection detection system, traffic will be shifted
to the first WAN (WAN1). In addition, if the first WAN (WAN1) is broken, the traffic will be shifted to other
WANs in turn. For example, the traffic will be shifted to WAN2 first; if WAN2 is broken too, the traffic will
be shifted to WAN3, and so on.
6.2.3 Protocol Binding
Interface Configuration
Router allows maximum four WAN interface, the bandwidth and real connection of every WAN will
impact the load balance mechanism; therefore you need to set the Bandwidth and the Network service
detection by each WAN Port correctly.
In “Interface Configuration”, click “Edit” to enter the WAN port configuration.
Bandwidth Configuration
When Auto Load Balance mode is selected, the device will select sessions or IP and the WAN bandwidth
56
SSL/IPSec VPN Firewall
will automatically allocate connections to achieve load balancing for external connections. The network
bandwidth is set by what users input for it. For example, if the upload bandwidth of both WANs is 512Kbit/sec,
the automatic load ratio will be 1:1; if one of the upload bandwidths is 1024Kbit/sec, while the other is
512Kbit/sec, the automatic load ratio will be 2:1. Therefore, to ensure that the device can balance the actual
network load, please input real upload and download bandwidths. The section refers to QoS configuration.
Therefore, it should be set in QoS page. Please refer to 8.1 QoS bandwidth configuration.
Protocol Binding
Users can define specific IP addresses or specific application service ports to go through a user-assigned
WAN for external connections. For any other unassigned IP addresses and services, WAN load balancing will
still be carried out.
Note!
In the load balance mode of Assigned Routing, the first WAN (WAN1) cannot be assigned. It is to
be saved for the IP addresses and the application Service Ports that are not assigned to other WANs
(WAN2, WAN3, and WAN4) for external connections. In other words, the first WAN (WAN1) cannot be
configured with the Protocol Binding rule. This is to avoid a condition where all WANs are assigned to
specific Intranet IP or Service Ports and destination IP, no more WAN ports will be available for other IP
addresses and Service Ports.
57
SSL/IPSec VPN Firewall
Service
This is to select the Binding Service Port to be activated. The default (such
as ALL-TCP&UDP 0~65535, WWW 80~80, FTP 21 to 21, etc.) can be
selected from the pull-down option list. The default Service is All 0~65535.
Option List for Service Management: Click the button to enter the Service
Port configuration page to add or remove default Service Ports on the
option list.
Source IP
Users can assign packets of specific Intranet virtual IP to go through a
specific WAN port for external connection. In the boxes here, input the
Intranet virtual IP address range; for example, if 192.168.1.100~150 is
input, the binding range will be 100~150. If only specific Service Ports need
to be designated, while specific IP designation is not necessary, input ―0‖ in
58
SSL/IPSec VPN Firewall
the IP boxes.
Destination IP
In the boxes, input an external static IP address. For example, if
connections to destination IP address 210.11.1.1 are to be restricted to
WAN1, the external static IP address 210.1.1.1 ~ 210.1.1.1 should be
input. If a range of destinations is to be assigned, input the range such as
210.11.1.1 ~ 210.11.255.254. This means the Class B Network Segment of
210.11.x.x will be restricted to a specific WAN. If only specific Service Ports
need to be designated, while a specific IP destination assignment is not
required, input ―0‖ into the IP boxes.
Interface
Select the WAN for which users want to set up the binding rule.
Enable
To activate the rule.
Add To List
To add this rule to the list.
Delete selected item
To remove the rules selected from the Service List.
Moving Up & Down
The priority for rule execution depends on the rule order in the list. A rule
located at the top will be executed prior to those located below it. Users can
arrange the order according to their priorities.
Note!
The rules configured in Protocol Binding will be executed by the device according to their priorities
too. The higher up on the list, the higher the priority of execution.
Show Priority:
Click the ―Show Priority‖ button. A dialogue box as shown in the following figure will be displayed. Users
can choose to sort the list by priority or by interface. Click ―Refresh‖ and the page will be refreshed; click
―Close‖ and the dialogue box will be closed.
59
SSL/IPSec VPN Firewall
Add or Remove Service Port:
If the Service Port users want to activate is not in the list, users can add or remove service ports from
“Service Management” to arrange the list, as described in the following:
Service Name
In this box, input the name of the Service Port which users want to
activate, such as BT, etc.
Protocol
This option list is for selecting a packet format, such as TCP or UDP for
the Service Ports users want to activate.
Port range
In the boxes, input the range of Service Ports users want to add.
Add To List
Click the button to add the configuration into the Services List. Users
can add up to 100 services into the list.
60
SSL/IPSec VPN Firewall
Delete selected Service
To remove the selected activated Services.
Apply
Click the ―Apply‖ button to save the modification.
Cancel
Click the “Cancel” button to cancel the modification. This only works
before “Apply” is clicked.
Exit
To quit this configuration window.
Auto Load Balancing mode when enabled
The collocation of the Auto Load Balance Mode and the Auto Load Mode will enable more flexible use of
bandwidth. Users can assign specific Intranet IP addresses to specific destination application service ports or
assign specific destination IP addresses to a WAN user choose for external connections.
Example 1：How do I set up Auto Load Balance Mode to assign the Intranet IP 192.168.1.100 to WAN2 for the
Internet?
As in the figure below, select ―All Traffic‖ from the pull-down option list ―Service‖, and then in the boxes of
―Source IP‖ input the source IP address ―192.168.1.100‖ to ―100‖. Retain the original numbers ―0.0.0.0‖ in the
boxes of ―Destination IP‖ (which means to include all Internet IP addresses). Select WAN2 from the pull-down
option list ―Interface‖, and then click ―Enable‖. Finally, click ―Add New‖ and the rule will be added to the mode.
61
SSL/IPSec VPN Firewall
Example 2：How do I set up Auto Load Balance Mode to keep Intranet IP 192.168.1.150 ~ 200 from
going through WAN2 when the destination port is Port 80?
As in the figure below, select ―HTTP [TCP/80~80]‖ from the pull-down option list ―Service‖, and then in the
boxes for ―Source IP‖ input ―192.168.1.150‖ to ―200‖. Retain the original numbers ―0.0.0.0‖ in the boxes of
―Destination IP‖ (which means to include all Internet IP addresses). Select WAN2 from the pull-down option
list ―Interface‖, and then click ―Enable‖. Finally, click ―Add New‖ and the rule will be added to the mode.
62
SSL/IPSec VPN Firewall
Example 3：How do I set up Auto Load Balance Mode to keep all Intranet IP addresses from going through
WAN2 when the destination port is Port 80 and keep all other services from going through WAN1?
As in the figure below, there are two rules to be configured. The first rule: select ―HTTP [TCP/80~80]‖
from the pull-down option list ―Service‖, and then in the boxes of Source IP input ―192.168.1.0‖ to ―0‖ (which
means to include all Intranet IP addresses). Retain the original numbers ―0.0.0.0‖ in the boxes of ―Destination
IP‖ (Which means to include all Internet IP addresses). Select WAN2 from the pull-down option list ―Interface‖,
and then click ―Enable‖. Finally, click ―Add New‖ and the rule will be added to the mode. The device will
transmit packets to Port 80 through WAN2. However, with only the above rule, packets that do not go to Port
80 may be transmitted through WAN2; therefore, a second rule is necessary. The second rule: Select ―All
Ports [TCP&UDP/1~65535]‖ from the pull-down option list ―Service‖, and then input ―192.168.1.2 ~ 254‖ in the
boxes of ―Source IP‖. Retain the original numbers ―0.0.0.0‖ in the boxes of ―Destination IP‖ (which means to
include all Internet IP addresses). Select WAN1 from the pull-down option list ―Interface‖, and then click
―Enable‖. Finally, click ―Add New‖ and the rule will be added to the mode. The device will transmit packets that
are not going to Port 80 to the Internet through WAN1.
63
SSL/IPSec VPN Firewall
Configure “Assigned Routing Mode” for Load Balance
IP Group: This function allows users to assign packets from specific Intranet IP addresses or to specific
destination Service Ports and to specific destination IP addresses through an assigned WAN to the Internet.
After being assigned, the specific WAN will only support those assigned Intranet IP addresses, destination
Service Ports, or destination IP addresses. Those which are not configured will go through other WANs for
external connection. Only when this mode is collocated with ―Assigned Routing‖ can it bring the function into
full play.
Example 1：How do I set up the Assigned Routing Mode to keep all Intranet IP addresses from going
through WAN2 when the destination is Port 80, and keep all other services from going through WAN1?
As in the figure below, select ―HTTP[TCP/80~80]‖ from the pull-down option list ―Service‖, and then in the
boxes of ―Source IP‖ input ―192.168.1.0 ~ 0‖ (which means to include all Intranet IP addresses). Retain the
original numbers ―0.0.0.0‖ in the boxes of ―Destination IP‖ (Which means to include all Internet IP addresses).
Select WAN2 from the pull-down option list ―Interface‖, and then click ―Enable‖. Finally, click ―Add New‖ and
the rule will be added to the mode. After the rule is set up, only packets that go to Port 80 will be transmitted
through WAN2, while other traffics will be transmitted through WAN1.
64
SSL/IPSec VPN Firewall
Example 2：How do I configure Protocol Binding to keep traffic from all Intranet IP addresses from
going through WAN2 when the destinations are IP 211.1.1.1 ~ 211.254.254.254 as well as the whole
Class A group of 60.1.1.1 ~ 60.254.254.254, while traffic to other destinations goes through WAN1?
As in the following figure, there are two rules to be configured. The first rule: Select ―All Port
[TCP&UDP/1~65535]‖ from the pull-down option list ―Service‖, and then in the boxes of ―Source IP‖ input
―192.168.1.0 ~ 0‖ (which means to include all Intranet IP addresses). In the boxes for ―Destination IP‖ input
―211.1.1.1 ~ 211.254.254.254‖. Select WAN2 from the pull-down option list ―Interface‖, and then click ―Enable‖.
Finally, click ―Add New‖ and the rule will be added to the mode. The second rule: Select ―All Port
[TCP&UDP/1~65535]‖ from the pull-down option list ―Service‖, and then in the boxes of ―Source IP‖ input
―192.168.1.0 ~ 0‖ (which means to include all Intranet IP addresses). In the boxes of ―Destination IP‖ input
―211.1.1.1 ~ 60,254,254,254‖. Select WAN2 from the pull-down option list ―Interface‖, and then click ―Enable‖.
Finally, click ―Add New‖, and the rule will be added to the mode. After the rule has been set up, all traffic that is
not going to the assigned destinations will only be transmitted through WAN1.
65
SSL/IPSec VPN Firewall
When connection failed,
Retry
every
30
Input the retry period when connection failed. The default value
is 30 minutes.
minutes
Remote Host IP Address
Input the IP of virtual route server.
User Name
Input the user name.
Password
Input the password.
Status
Show the link status: Connect or Disconnect.
Self-Defined IP
To build a self-defined IP, users can use a text-based editor, such as Notepad, which is
included with Windows system. Follow the text format in the figure below to key in the
destination IPs users want to assign. For example, if the destination IP address range users want
to designate is 140.115.1.1 ~ 140.115.1.255, key in 140.115.1.1 ~ 140.115.1.255 in Notepad.
66
SSL/IPSec VPN Firewall
The next destination IP address range should be keyed in the next line. Attention! Even if only
one destination IP address is to be assigned, it should follow the same format. For example, if
the destination IP address is 210.66.161.54, it should be keyed in as
210.66.161.54~210.66.161.54. After the document has been saved (the extension file name
is .txt), users can import the IP range of self-defined strategy.
Self-Defined Port
To build a self-defined Port users can use a text-based editor, such as Notepad, which is
included with Windows system. For example, if the destination port users want to designate
is TCP/3724~3724, key in TCP/3724~3724 in Notepad. The next destination port should be
keyed in the next line. After the document has been saved (the extension file name is .txt),
users can import the port of self-defined strategy.
67
SSL/IPSec VPN Firewall
VII. Intranet Configuration
This chapter introduces how to configure ports and understand how to configure intranet IP addresses.
7.1 Port Management
Through the Router, users can easily manage the setup for WAN ports, LAN ports and the DMZ port by
choosing the number of ports, speed, priority, duplex and enable/disable the auto-negotiation feature for
connection setting of each port.
Disabled
This feature allows users turn on/off the Ethernet port. If selected, the
Ethernet port will be shut down immediately and no connection can be
made. The default value is "on".
Priority
This feature allows users to set the high/low priority of the packet delivery
for the Ethernet port. If it is set as High, the port has the first priority to
deliver the packet. The default value is ―Normal‖.
Speed
This feature allows users to select the network hardware connection speed
for the Ethernet port. The options are 10Mbps and 100Mbps.
Duplex Status
This feature allows users to select the network hardware connection speed
68
SSL/IPSec VPN Firewall
working mode for the Ethernet. The options are full duplex and half duplex.
Auto Neg.
The Auto-Negotiation mode can enable each port to automatically adjust
and gather the connection speed and duplex mode. Therefore, if Enabled
Auto-Neg. selected, the ports setup will be done without any manual setting
by administrators.
VLAN
This feature allows administrators to set the LAN port to be one or more
disconnected network sessions. All of them will be able to log on to the
Internet through the device.
Members in the same network session (within the same VLAN) can see and
communicate with each other. Members in different VLAN will not know the
existence of other members.
VLAN All
Set VLAN All port to be the public area of VLAN so that it can be connected
to other VLAN networks. A server should be constructed for the intranet so
that all VLAN group can visit this server. Set one of the network ports as
VLAN All. Connect the server to VLAN All so that computers of different
VLAN groups can be connected to this server. Moreover, the port where the
administrator locates must be set as VLAN All so that it can be connected to
the entire network to facilitate network management.
Mirror Port：Users can configure LAN 1 as mirror port by choosing ―Enable Port 1 as Mirror Port‖. All the
traffic from LAN to WAN will be copied to mirror port. Administrator can control or filter the traffic through
mirror port. Once this function is enabled, LAN 1 will be shown as Mirror Port in Physical Port Status, Home
page.
7.2 Port Status
69
SSL/IPSec VPN Firewall
This function allows network managers to review the detail information of each port. introduces how to
configure ports and understand how to configure intranet IP addresses.
Summary:
There are Network Connection Type, Interface(LAN/WAN1~4/DMZ), Link Status (Up/Down), Port Activity
(Port Enabled), Priority Setting (High or Normal), Speed Status (10Mbps or 100Mbps), Duplex Status (half
duplex or full duplex), Auto Neg. (Enabled/Disabled), and VLAN(VLAN1~4/ VLAN All).
Statistics:
The packet data of this specific port will be displayed. Data include receive/ transmit packet count,
receive/ transmit packet Byte count and error packet count. Users may press the refresh button to update all
real-time messages.
70
SSL/IPSec VPN Firewall
7.3 IP/ DHCP
With an embedded DHCP server, it supports automatic IP assignation for LAN computers. (This function
is similar to the DHCP service in NT servers.) It benefits users by freeing them from the inconvenience of
recording and configuring IP addresses for each PC respectively. When a computer is turned on, it will acquire
an IP address from the device automatically. This function is to make management easier.
71
SSL/IPSec VPN Firewall
Dynamic IP:
This is to set up a lease time for the IP address which is acquired by a
Client lease Time
PC. The default is 1440 minutes (a day). Client PC will acquire again
after the lease time is expiration. Users can change it according to their
needs. The time unit is minute.
This is to set up a lease time for the IP address which is acquired by a
Range Start
PC. The default is 1440 minutes (a day). Users can change it according
to their needs. The time unit is minute.
This is an initial IP automatically leased by DHCP. It means DHCP will
Range End
start the lease from this IP.
The default initial IP is 192.168.1.100.
DNS (Domain Name Service):
This is for checking the DNS from which an IP address has been leased to a PC port. Input the IP
address of this server directly.
DNS Server (Required) 1
Input the IP address of the DNS server.
DNS Server (Required) 2
Input the IP address of the DNS server.
WINS:
If there is a WIN server in the network, users can input the IP address of that server directly.
WINS Server
Input the IP address of WINS.
Apply
Click “Apply” to save the network configuration modification.
Cancel
Click “Cancel" to leave without making any changes.
Show Table:
This is for the status of showing whole MAC/IP binding list that has configured and you can chose ―Edit‖
to modify it.
72
SSL/IPSec VPN Firewall
7.4 DHCP Status
This is an indication list of the current status and setup record of the DHCP server. The indications are for
the administrator’s reference when a network modification is needed.
DHCP Server
This is the current DHCP IP.
Dynamic IP Used
The amount of dynamic IP leased by DHCP.
Static IP Used
The amount of static IP assigned by DHCP.
IP Available
The amount of IP still available in the DHCP server.
Total IP
The total IP which the DHCP server is configured to lease.
Host Name
The name of the current computer.
IP Address
The IP address acquired by the current computer.
MAC Address
The actual MAC network location of the current computer.
Client Lease Time
The lease time of the IP released by DHCP.
Delete
Remove a record of an IP lease.
73
SSL/IPSec VPN Firewall
DNS Local Database (Future)
Normally, DNS sever will be directed to ISP DNS server or internal self- defined DNS server.
Qno router also provides “easy” self- defined DNS services, called “DNS Local Database”, which
can map website host domain names and the corresponding IP addresses.
Host Domain Name
Enter the website host domain name.
i.e. www.google.com
IP Address
Enter the corresponding IP address of the host domain above.
Add to Llist
Add the items into the list below.
Delete selected item
Delete the items chosen.
※ Note!
(1) Users MUST enable DCHP server service to enable DNS local database.
(2) Users must set DHCP server DNS IP address as the router LAN IP. For example, LAN is
10.10.10.1, as shown in the following figure.
74
SSL/IPSec VPN Firewall
Therefore, DCHP DNS IP address must be 10.10.10.1 to make DNS local database in effect.
(3) After enabling DNS local database, if there is no host domain names in the list, the router will
still use ISP DNS server or internal DNS server for lookup.
Test if DNS local database is effective:
Assumed tw.yahoo.com IP address is 10.10.10.199, as the following figure.
(1) System Tool => Diagnostic => DNS Name Lookup
75
SSL/IPSec VPN Firewall
(2) Enter tw.yahoo.com for lookup.
(3) The IP is 10.10.10.199, confirming the corresponding IP in DNS local database.
7.5 IP & MAC Binding
Administrators can apply IP & MAC Binding function to make sure that users can not add extra PCs for
Internet access or change private IP addresses.
76
SSL/IPSec VPN Firewall
There are two methods for setting up this function:
77
SSL/IPSec VPN Firewall
Provide services to allowed MAC addresses:
Static IP
There are two ways to input static IP:
1.
If users want to set up a MAC address to acquire IP from
DHCP, but the IP need not be a specific assigned IP, input
0.0.0.0 in the boxes. The boxes cannot be left empty.
2.
If users want DHCP to assign a static IP for a PC every
single time, users should input the IP address users want
to assign to this computer in the boxes. The server or PC
which is to be bound will then acquire a static virtual IP
78
SSL/IPSec VPN Firewall
whenever it restarts.
Input the static real MAC (the address on the network card) for
MAC Address
the server or PC which is to be bound.
For distinguishing clients, input the name or address of the
Name
client that is to be bound. The maximum acceptable characters
are 12.
Enable
Activate this configuration.
Add to list
Add the configuration or modification to the list.
Delete selected Entry
Remove the selected binding from the list.
Add to list
Add new binding.
Block MAC address on the list with wrong IP address: This method only allows MAC addresses on
the list to receive IP addresses from DHCP and have Internet access.
Block MAC address not on the list: When this option is activated, MAC addresses which are not
included in the list will not be able to connect with the Internet.
Show New IP user:
This function can reduce administrator’s effort on checking MAC addresses one by one for the binding.
Furthermore, it is easy to make mistakes to fill out MAC addresses on the list manually. By checking this list,
administrator can see all MAC addresses which have traffic and are not bound yet. Also, if administrators find
that one specific bound MAC address is shown on the list, it means that the user changes the private IP
address.
Name
Input the name or address of the client that is to be bound. The maximum
acceptable characters are 12.
Enabled
Choose the item to be bound.
Apply
Activate the configuration.
79
SSL/IPSec VPN Firewall
Select All
Choose all items on the list for binding.
Refresh
Refresh the list.
Close
Close the list.
7.6 IP Group Management
IP Group function can combine several IP addresses or IP address ranges into several groups. When
you manage user internet access privileges by IP address, you can set up every management functions for
users who have same internet access privileges in the same IP group in order to decrease the effort of setting
rules for each IP address. For example, you can choose to set up QoS or Access Rule by IP grouping. Thus,
you will simplify setting rules.
IP Grouping consists of Local IP Group and Remote IP Group. Local IP Group refers to LAN IP groups,
and remote IP Group refers to WAN IP groups. Local IP Group list will automatically learn IP addresses having
packets that pass through firewall. Moreover, if user changes the IP address, the IP in the list will change
accordingly well. For IP information which is in group list, it won't update automatically along with IP list of the
left side. Administrators need to modify it manually.
80
SSL/IPSec VPN Firewall
User Edit IP
The IP list will show the list which learns the IP addresses automatically on the left
under side. You can also modify IP addresses manually.
Name
Input the name of IP address (or range) showed below.
IP Address
Input IP address (or range). For example, 192.168.1.200 ~ 250.
Add to IP List
After setting name and IP address, push this button to add the information into the
IP list below. If this IP (or range) is already in the list, you can not add it again.
Local Group Set
You can choose from the IP list on the left side to set up a local IP group.
IP Group
Choose IP Group that you would like to modify. If you would like to add new groups,
please push ―Add new group‖ button.
Group Name
When you add new groups, please note if the group name is in the column.
Delete Group
Choose the group that you would like to delete from the pull- down list, and push the
―Delete Group‖ button. System will ask you again if you would like to delete the
group. After pushing the confirmation button, the group will be deleted.
You can choose several IPs from IP list on the left side, and push this button to have
button
them added into the group the right side.
Delete
Delete self- defined IP or IP range.
Apply
Click “Apply” to save the network configuration modification
Cancel
Click “Cancel" to leave without making any changes.
Remote IP Group Management:
Basically, Remote IP Group setups are exactly the same as Local IP Group setups. However, remote IP
group does not have automatically learning functions. Instead, you need to define addresses, ranges and
groups manually. For example, 220.130.188.1 to 200 (range).
81
SSL/IPSec VPN Firewall
It is the same setting methods. You should set the IP address or the range of remote IP from the left side
first, and choose to add IP address information from the left side into the remote group.
7.7 Port Group Management
Service ports can be grouping as IP grouping. It is convenient to set QoS, firewall access rules, and other
functions.
82
SSL/IPSec VPN Firewall
User edit port
Input the name, protocol, and port range for the specific service port.
Name
Name the Port in order to identify its property. For example, Virus 135.
Protocol
Choose the port protocol form the pull down list like TCP, UDP or TCP and UDP.
Port Range
Input the port range. For example, 135 to 135.
Add to Port List
After setting name, protocol and port range, push this button to add the
information into the Port list below. This port can be from some port groups.
Group Name
When you add new groups, please note if the group name is in the column. For
example, Virus.
Delete Group
Choose the group that you would like to delete from the pull- down list, and push
the ―Delete Group‖ button. System will ask you again if you would like to delete
the group. After pushing the confirmation button, the group will be deleted.
You can choose several ports from Port list on the left side, and push this button
button
Delete
to have them added into the group the right side.
Delete self- defined port or port range.
83
SSL/IPSec VPN Firewall
Apply
Click “Apply” to save the network configuration modification
Cancel
Click “Cancel" to leave without making any changes.
84
SSL/IPSec VPN Firewall
VIII. QoS (Quality of Service)
QoS is an abbreviation for Quality of Service. The main function is to restrict bandwidth usage for some
services and IP addresses to save bandwidth or provide priority to specific applications or services, and also
to enable other users to share bandwidth, as well as to ensure stable and reliable network transmission. To
maximize the bandwidth efficiency, network administrators should take account of the practical requirements
of a company, a community, a building, or a café, etc., and modify bandwidth management according to the
network environment, application processes or services.
8.1 Bandwidth Management (QoS)
85
SSL/IPSec VPN Firewall
86
SSL/IPSec VPN Firewall
8.1.1 Bandwidth Management
In the boxes for WAN1 and WAN2 bandwidth, input the upstream and downstream bandwidth which
users applied for from bandwidth supplier. The bandwidth QoS will make calculations according to the data
users input. In other words, it will guarantee a minimum rate of upstream and downstream for each IP and
Service Port based on the total actual bandwidth of WAN1 and WAN2. For example, if the upstream
bandwidths of both WAN1 and WAN2 are 512Kbit/Sec, the total upstream bandwidth will be: WAN1 + WAN2
= 1024Kbit/Sec. Therefore, if there are 50 IP addresses in the Intranet, the minimum guaranteed upstream
bandwidth for each IP would be 1024Kbit/50=20Kbit/Sec. Thus, 20Kbit/Sec can be input for ―Mini. Rate‖
Downstream bandwidth can be calculated in the same way.
Note!
The unit of calculation in this example is Kbit. Some software indicates the downstream/upstream
speed with the unit KB. 1KB = 8Kbit.
8.1.2 QoS
To satisfy the bandwidth requirements of certain users, the device enables users to set up QoS: Rate
Control and Priority Control. Users can select only one of the above QoS choices.
Rate Control:
The network administrator can set up bandwidth or usage limitations for each IP or IP range according to
the actual bandwidth. The network administrator can also set bandwidth control for certain Service Ports. A
guarantee bandwidth control for external connections can also be configured if there is an internal server.
87
SSL/IPSec VPN Firewall
Interface
Select on which WAN the QoS rule should be executed. It can be a single
selection or multiple selections.
Service
Select what bandwidth control is to be configured in the QoS rule. If the
bandwidth for all services of each IP is to be controlled, select ―All (TCP&UDP)
1~65535‖. If only FTP uploads or downloads need to be controlled, select
―FTP Port 21~21‖. Refer to the Default Service Port Number List.
IP Address
This is to select which user is to be controlled. If only a single IP is to be
restricted, input this IP address, such as ―192.168.1.100 to 100‖. The rule will
control only the IP 192.168.1.100. If an IP range is to be controlled, input the
range, such as ―192.168.1.100 ~ 150‖. The rule will control IP addresses from
192.168.1.100 to 150. If all Intranet users that connect with the device are to
88
SSL/IPSec VPN Firewall
be controlled, input ―0‖ in the boxes of IP address. This means all Intranet IP
addresses will be restricted. QoS can also control the range of Class B.
Direction
Upstream: Means the upload bandwidth for Intranet IP.Downstream: Means
the download bandwidth for Intranet IP.
Server in LAN, Upstream: If a Server for external connection has been built in
the device, this option is to control the bandwidth for the traffic coming from
outside to this Server.
Server in LAN, Downstream: If there are web sites built in the Intranet, this
option is to control the upload bandwidth for the connections from outside to
this Server. For example, game servers have been built in many Internet
cafés. This rule can be used to control the bandwidth for connections from
outside to the game server of a café to update data. In this way, game players
inside the café will not be affected.
Min. & Max. Rate
The minimum bandwidth: The rule is to guarantee minimum available
(Kbit/Sec)
bandwidth.
The maximum bandwidth: This rule is to restrict maximum available
bandwidth. The maximum bandwidth will not exceed the limit set up under this
rule.
Attention! The unit of calculation used in this rule is Kbit. Some software
indicates download/upload speed by the unit KB. 1KB = 8Kbit.
Bandwidth
Sharing total bandwidth with all IP addresses: If this option is selected, all
Sharing
IP addresses or Service Ports will share the bandwidth range (from minimum
to maximum bandwidth).
Assign bandwidth for each IP address: If this option is selected, every IP or
Service Port in this range can have this bandwidth (minimum to maximum.).
For example, If the rule is set for the IP of each PC, the IP of each PC will have
the same bandwidth.
Note!
If ―Share-Bandwidth‖ is selected, be aware of the actual usage conditions and
89
SSL/IPSec VPN Firewall
avoid an improper configuration that might cause a malfunction of the network
when the bandwidth is too small. For example, if users do not want an FTP to
occupy too much bandwidth, users can select the ―Share-Bandwidth Mode‖,
so that no matter how much users use FTPs to download information, the total
occupied bandwidth is fixed.
Enabled
Activate the rule.
Add to list
Add this rule to the list.
Move up & down
QoS rules will be executed from the bottom of the list to the top of the list. In
other words, the lower down the list, the higher the priority of execution. Users
can arrange the sequence according to their priorities. Usually the service
ports which need to be restricted, such as BT, e-mule, etc., will be moved to
the bottom of the list. The rules for certain IP addresses would then be moved
upward.
Delete
selected
Remove the rules selected from the Service List.
items
Show Table
Display all the Rate Control Rules users made for the bandwidth. Click
“Edit" to modify.
Apply
Click “Apply" to save the configuration
Cancel
Click “Cancel" to leave without making any change.
Show Table:
Click ―Show Table‖ button, you can get a window as below. You can select ―Rule‖ to display rules, or
select Interface to display rules. Click update can re-flash window. Click ―Close‖ can close this window. You
can also click ―Edit‖ to modify parameters.
90
SSL/IPSec VPN Firewall
8.1.3 Smart QoS
With Smart QoS, you can reach the traffic management without setup IP addresses in the traffic
management rule. This function detects LAN users automatically, fewer LAN users can use higher bandwidth,
and too many LAN users can use user lower bandwidth, so that all LAN users can use bandwidth at average.
This function is flexible and simplifies the management effort.
Enable Smart QoS
Click Enable Intelligent QoS
When the utility of any WAN’s
When the bandwidth usage is over the condition, the dynamic
bandwidth is over _%, Enable
intelligent QoS will auto start. The default condition is 60%.
Smart QoS
(0: Always Enabled)
Each IP’s upstream bandwidth
Setup the Upstream bandwidth threshold.
threshold
Each IP’s downstream
Setup the Downstream bandwidth threshold.
bandwidth threshold
Each IP's maximum bandwidth
When an IP address usage over above upstream or downstream
thresholds, the penalty is triggered.Please setup penalty
upstream / downstream bandwidth.
91
SSL/IPSec VPN Firewall
Penalty mechanism
Select the second penalty, if one user triggered the internal
condition, this user will has a second penalty.
Show Penalty IP
Display penalty IP addresses, upstream limit, downstream limit
and second penalty information.
8.1.4 Bandwidth Management Scheduling
You can use Time Schemer function to deploy difference traffic management scripts in difference time, so
that we can use maximum bandwidth efficiency.
Enable Bandwidth Management
Enable Bandwidth Management Scheduling
Scheduling
Date
From Sunday to Saturday
Schedule
We have three time ranges can setup in one day, and the clock
formula is 24H. If you select ―All day‖ in the first time range,
then others time range will blank and unable to setup. The time
ranges can’t overlap. We have ―shutdown‖, QoS and Smart
QoS methods can be used.
92
SSL/IPSec VPN Firewall
Beside schedule
Other unspecified time, we still can deploy ―shutdown‖, ‖QoS‖
or ―Smart QoS‖ methods for traffic management.
Apply
Click ―Apply‖ button to saving configuration.
Cancel
Click ―Cancel‖ button to reject modification.
Close
Click ―Close‖ button to leaving this configuration page without
saving.
8.1.5 Exception IP address
If some users are allowed to avoid traffic management control, you can use this function to fulfill the
requirement.
93
SSL/IPSec VPN Firewall
WAN
Select WAN ports.
Source IP
Enter the exempted IP range, or select the exempted IP group.
Do
not
control
Select do not control upload, download, or both of them.
Direction
Enabled
Enable this policy.
Add to List
Add this policy into the exempted list.
Delete Selected
Delete selected list.
item
Apply
Click ―Apply‖ button to saving configuration.
Cancel
Click ―Cancel‖ button to reject modification.
8.2 Session control
Session management controls the acceptable maximum simultaneous sessions of Intranet PCs.
This function is very useful for managing connection quantity when P2P software such as BT, Thunder,
or emule is used in the Intranet causing large numbers of sessions. Setting up proper limitations on
sessions can effectively control the sessions created by P2P software. It will also have a limiting effect
on bandwidth usage.
In addition, if any Intranet PC is attacked by a virus like Worm.Blaster and sends a huge number of
session requests, session control will restrict that as well.
Session Control and Scheduling：
94
SSL/IPSec VPN Firewall
Disabled
Disable Session Control function.
Single IP cannot
This option enables the restriction of maximum external sessions to each
exceed _ session
Intranet PC. When the number of external sessions reaches the limit, to
allow new sessions to be built, some of the existing sessions must be
closed. For example, when BT or P2P is being used to download
information and the sessions exceed the limit, the user will be unable to
connect with other services until either BT or P2P is closed.
When single IP
exceed _ session
If this function is selected, when the user’s port session reach the limit, this
user will not be able to make a new session for five minutes. Even if the
previous session has been closed, new sessions cannot be made until the
setting time ends.
If this function is selected, when the user’s port connections reach the limit,
all the lines that this user is connected with will be removed, and the user
will not be able to connect with the Internet for five minutes. New
connections cannot be made until the delay time ends.
95
SSL/IPSec VPN Firewall
Scheduling
If ―Always‖ is selected, the rule will be executed around the clock.
If ―From…‖ is selected, the rule will be executed according to the
configured time range. For example, if the time control is from Monday to
Friday, 8:00am to 6:00pm, users can refer to the following figure to set up
the rule.
Apply
Click “Apply” to save the configuration.
Cancel
Click “Cancel" to leave without making any change.
Exempted Service Port or IP Address
Some IP addresses or specified services should be free in a environment, for example: SMTP service,
you can use this function to avoid the session control.
Service
Choose the service port.
IP Address
Input the IP address range or IP group.
96
SSL/IPSec VPN Firewall
Enabled
Activate the rule.
Add to list
Add this rule to the list.
Delete selected
Remove the rules selected from the Service List.
item
Apply
Click “Apply” to save the configuration.
Cancel
Click “Cancel" to leave without making any change.
97
SSL/IPSec VPN Firewall
8.3 Hardware Optimization (Future Feature)
This VPN router not only provides high processing performance but also launches ―hardware
optimization’ function for bandwidth control and traffic prioritization.
The main purpose is to process the
bandwidth functions through hardware design, which can accelerate and prioritize the traffic distribution and
usage without wasting CPU and system resources. Hardware optimization will speed up the router processing,
carry huge connection sessions and PCs, and provide stable and excellent network environment.
Service Optimization:
Service ports that online games and video softwares will be the highest priority.
Router can process these
games or videos traffic in first priority. In this way, users can play games or watch videos fluently without
disconnection even when the traffic is full.
MAC address
Pull down menus includes:
98
SSL/IPSec VPN Firewall
(1) Source MAC address: Hardware optimization will only be effective to guarantee
the traffic in high priorities when the traffic rules match source MAC addresses.
(2) Destination MAC address: Hardware optimization will only be effective to
guarantee the traffic in high priorities when the traffic rules match destination MAC
addresses.
(3) None: The traffic rules neither match traffic rules nor check MAC addresses.
IP address
Pull down menus includes:
(1) Source IP address: Hardware optimization will only be effective to guarantee the
traffic in high priorities when the traffic rules match source IP addresses.
(2) Destination IP address: Hardware optimization will only be effective to guarantee
the traffic in high priorities when the traffic rules match destination IP addresses.
(3) None: The traffic rules neither match traffic rules nor check MAC addresses.
IP Protocol
Choose service port protocols for games, videos, or other network applications
required to be prioritized.
You can choose TCP, UDP, or any other protocols listed.
Action
Input service ports for games, videos, or other network applications required to be
prioritized. Range is 1~65535.
Enable
Activate the rule.
Add to list
Add this rule to the list.
Delete selected
Remove the rules selected from the Service List.
entry
99
SSL/IPSec VPN Firewall
IX. Firewall
This chapter introduces firewall general policy, access rule, and content filter settings to ensure network
security.
9.1 General Policy
The firewall is enabled by default. If the firewall is set as disabled, features such as SPI, DoS, and
outbound packet responses will be turned off automatically. Meanwhile, the remote management feature will
be activated. The network access rules and content filter will be turned off.
Firewall
This feature allows users to turn on/off the firewall.
SPI (Stateful Packet
This enables the packet automatic authentication detection technology. The
Inspection)
Firewall operates mainly at the network layer. By executing the dynamic
authentication for each connection, it will also perform an alarming function
for application procedure. Meanwhile, the packet authentication firewall may
decline the connections which use non-standard communication protocol.
DoS (Denial of
This averts DoS attacks such as SYN Flooding, Smurf, LAND, Ping of Death,
Service)
IP Spoofing and so on.
100
SSL/IPSec VPN Firewall
Block WAN Request
If set as Enabled, then it will shut down outbound ICMP and abnormal packet
responses in connection. If users try to ping the WAN IP from the external,
this will not work because the default value is set as activated in order to
decline the outbound responses.
Remote
To enter the device web- based UI by connecting to the remote Internet, this
Management
feature must be activated. In the field of remote browser IP, a valid external IP
address (WAN IP) for the device should be filled in and the modifiable default
control port should be adjusted (the default is set to 80, modifiable).
Multicast Pass
There are many audio and visual streaming media on the network.
Through
Broadcasting may allow the client end to receive this type of packet message
format. This feature is off by default.
Prevent ARP Virus
This feature is designed to prevent the intranet from being attacked by ARP
Attack
spoofing, causing the connection failure of the PC. This ARP virus cheat
mostly occurs in Internet cafes. When attacked, all the online computers
disconnect immediately or some computers fail to go online. Activating this
feature may prevent the attack by this type of virus.
101
SSL/IPSec VPN Firewall
Advanced Function
Packet Type: This device provides three types of data packet transmission:
TCP-SYN-Flood, UDP-Flood and ICMP-Flood.
WAN Threshold: When all packet values from external attack or from single
external IP attack reach the maximum amount (the default is 15000
packets/Sec and 2000 packets/Sec respectively), if these conditions above
occurs, the IP will be blocked for 5 minutes ( the default is 5 minutes OBJ
176 ). Users can adjust the threshold value and the blocking duration to
effectively deal with external attack. The threshold value should be adjusted
from high to low.
LAN Threshold: When all packet values from internal attack or from single
internal IP attack reach the maximum amount (the default is 15000
packets/Sec and 2000 packets/Sec respectively), if these conditions above
102
SSL/IPSec VPN Firewall
occurs, the IP will be blocked for 5 minutes (the default is 5 minutes). Users
can adjust the threshold value and the blocking duration to effectively deal
with external attack. The threshold value should be adjusted from high to
low.
Exception Source IP
Input the exempted source IP.
Exception Dest. IP
Input the exempted Destination IP addresses.
Apply
Click “Apply” to save the configuration.
Cancel
Click “Cancel" to leave without making any change.
Skype-Exception IP/Group
Blocking Skype might affect some website visits or logins. When blocking
Skype application, it is recommended to add the websites which are
frequently visited or necessary into the exception list to avoid from visiting or
login to the websites.
QQ- Exception QQ Number
You can add the user QQ accounts which are not required to block to the
exception QQ number list, as the following chart.
103
SSL/IPSec VPN Firewall
Exception IP address: You can add user IP or IP ranges in to the exception IP list. These intranet users
won’t have the application block above.
104
SSL/IPSec VPN Firewall
Special service
Choose the blocked service application.
Exception IP
Add the IPs which are not required for blocking.
Add to list
Add this rule to the list.
Delete selected item
Remove the rules selected from the Service List.
Block Filter Type: Some data format transmits might occupy huge network resources, for example, exe and
zip files.
You can choose to block these format transmits.
105
SSL/IPSec VPN Firewall
Special service
Choose the blocked service application.
Exception IP
Add the IPs which are not required for blocking.
106
SSL/IPSec VPN Firewall
Add to list
Add this rule to the list.
Delete selected item
Remove the rules selected from the Service List.
9.2 Access Rule
Users may turn on/off the setting to permit or forbid any packet to access internet. Users may select
to set different network access rules: from internal to external or from external to internal. Users may set
different packets for IP address and communication port numbers to filter Internet access rules.
Network access rule follows IP address, destination IP address, and IP communications protocol
status to manage the network packet traffic and make sure whether their access is allowed by the
firewall.
9.2.1 Default Access Rule
The device has a user-friendly network access regulatory tool. Users may define network access rules.
They can select to enable/ disable the network so as to protect all internet access. The following describes the
internet access rules:

All traffic from the LAN to the WAN is allowed - by default.

All traffic from the WAN to the LAN is denied - by default.

All traffic from the LAN to the DMZ is allowed - by default.

All traffic from the DMZ to the LAN is denied - by default.

All traffic from the WAN to the DMZ is allowed - by default.

All traffic from the DMZ to the WAN is allowed - by default.
Users may define access rules and do more than the default rules. However, the following four extra
service items are always on and are not affected by other user-defined settings.
* HTTP Service (from LAN to Device) is on by default (for management)
* DHCP Service (from LAN to Device) is set to on by default (for the automatic IP retrieval)
* DNS Service (from LAN to Device) is on by default (for DNS service analysis)
* Ping Service (from LAN to Device) is on by default (for connection and test)
107
SSL/IPSec VPN Firewall
In addition to the default rules, all the network access rules will be displayed as illustrated above. Users
may follow or self- define the priority of each network access rule. The device will follow the rule priorities one
by one, so please make sure the priority for all the rules can suit the setting rules.
Edit
Delete
Define the network access rule item
Remove the item.
Add New Rule
Create a new network access rule
Return to Default
Restore all settings to the default values and delete all the self-defined
Rule
settings.
108
SSL/IPSec VPN Firewall
9.2.2 Add New Access Rule
Action
Allow: Permits the pass of packets compliant with this control rule
Deny: Prevents the pass of packets not compliant with this control rule
Service
From the drop-down menu, select the service that users grant or do not
give permission.
Service
If the service that users wish to manage does not exist in the drop-down
Management
menu, press – Service Management to add the new service.
From the pop-up window, enter a service name and communications
protocol and port, and then click the ―Add to list‖ button to add the new
service.
Log
No Log: There will be no log record.
Create Log when matched: Event will be recorded in the log.
Source Interface
Select the source port whether users are permitted or not (for example:
109
SSL/IPSec VPN Firewall
LAN, WAN1, WAN2 or Any). Select from the drop-down menu.
Source IP
Select the source IP range (for example: Any, Single, Range, or preset IP
group name). If Single or Range is selected, please enter a single IP
address or an IP address within a session.
Dest. IP
Select the destination IP range (such as Any, Single, Range, or preset IP
group name) If Single or Range is selected; please enter a single IP
address or an IP address within a session.
Scheduling
Select “Always” to apply the rule on a round-the-clock basis. Select
“from”, and the operation will run according to the defined time.
Apply this rule
Select "Always" to apply the rule on a round-the-clock basis.
If ―From‖ is selected, the activation time is introduced as below
… to …
This control rule has time limitation. The setting method is in 24-hour
format, such as 08:00 ~ 18:00 (8 a.m. to 6 p.m.)
Day Control
Everyday‖ means this period of time will be under control everyday. If users
only certain days of a week should be under control, users may select the
desired days directly.
Apply
Click “Apply” to save the configuration.
Cancel
Click “Cancel" to leave without making any change.
Example1: How to block TCP 135-139 ports
First, add a new TCP 135-139 service port object(please refer the service port chapter), and the finish
below configurations.
Action: Deny
Service: TCP135-139
Source Interface: Any
Source IP address: Any
Destination IP address: Any
110
SSL/IPSec VPN Firewall
Example2: How to block LAN IP addresses from 192.168.1.200-192.168.1.230 to access the TCP 80
port ?
Action: Deny
Service: TCP 80
Source Interface: Range
Source IP address: range from 192.168.1.200 to 192.168.1.230
Destination address: Any
9.3 Content Filter
The VPN Router supports two webpage restriction modes: one is to block certain forbidden domains, and
the other is to give access to certain web pages. Only one of these two modes can be selected.
111
SSL/IPSec VPN Firewall
Block Forbidden Domain:
Fill in the complete website such as www.sex.com to have it blocked.
112
SSL/IPSec VPN Firewall
Forbidden Domains
Click to enable the forbidden domains function.
Default is Disabled.
Enabled
Add
Input the website to be controlled. For example, www.playboy.com
Exception IP Address
Input the IP or IP ranges not to be controlled.
Add to list
Click ‖Add to list‖ to create a new website to be controlled.
Delete selected domain
Click to select one or more controlled websites and click this option to
delete.
Apply
Click “Apply” to save the configuration.
Cancel
Click “Cancel" to leave without making any change.
113
SSL/IPSec VPN Firewall
Website Blocking by Keywords:
Enable Website
Click to activate this feature. The default setting is disabled. For example: If
Blocking by
users enter the string ‖sex‖, any websites containing ‖sex‖ will be blocked.
Keywords
Add
Enter keywords. Only for English keyword.
Exception IP
Input the IP or IP ranges not to be controlled.
address
Add to List
Add this new service item content to the list.
Delete selected item
Delete the service item content from the list
Apply
Click ―Apply‖ to save the modified parameters.
Cancel
Click ―Cancel‖ to cancel all the changes made to the parameters.
Accept Allowed Domains:
In some companies or schools, employees and students are only allowed to access some specific
114
SSL/IPSec VPN Firewall
websites. This is the purpose of the function.
Select ―Accept Allowed Domains‖ check box, you will see below setup windows:
Allowed Domains Enabled
Activate the function. The default setting is ―Disabled.‖
Add
Input the allowed domain name, etc. www.google.com
Add to list
Add the rule to list.
Delete selected item
Users can select one or more rules and click to delete.
Apply
Click ―Apply‖ to save the modified parameters.
Cancel
Click ―Cancel‖ to cancel all the changes made to the parameters.
Exception IP address:
You can exempted some IP addresses or IP group from the ―Allow Domain‖.
115
SSL/IPSec VPN Firewall
Enter the exempted IP addresses or IP group.
Exception IP
address/Group
Add to list
Click this button to add exempted IP addresses or IP group.
Delete selected range
Click this button to delete selected exempted IP address or IP group.
Content Filter Scheduling:
Select “Always” to apply the rule on a round-the-clock basis. Select “from”, and the operation will run
according to the defined time. For example, if the control time runs from 8 a.m. to 6 p.m., Monday to Friday,
users may control the operation according to the following illustrated example.
Always
Select ―Always‖ to apply the rule on a round-the-clock basis. Select ―from‖, and the
operation will run according to the defined time.
…to…
Select "Always" to apply the rule on a round-the-clock basis.
If ―From‖ is selected, the activation time is introduced as below
Day Control
This control rule has time limitation. The setting method is in 24-hour format, such as
08:00 ~ 18:00 (8 a.m. to 6 p.m.)
116
SSL/IPSec VPN Firewall
X. VPN (Virtual Private Network)
10.1 VPN
10.1.1. Display All VPN Summary
This VPN Summary displays the real-time data with regard to VPN status. These data include: all tunnel
numbers (PPTP, IPSec + QnoKey and IPSec VPN), setting parameters and Group VPN and so forth.
117
SSL/IPSec VPN Firewall
Advanced Setting： Through Advanced setting, users may adjust the tunnel number of IPSec and
QnoKey.
This shows how many VPN tunnels are in use or available.
Detail: Push this button to display the following information with regard to all current VPN configurations
to facilitate VPN connection management.
118
SSL/IPSec VPN Firewall
VPN Tunnel Status:
The following describes VPN Tunnel Status, the current status of VPN tunnel in detail：
Previous Page/Next
Page, Jump to __/__
Page, __
Click Previous page or Next page to view the desired VPN tunnel
page. Or users can select the page number directly to view all VPN
tunnel statuses, such as 3, 5, 10, 20 or All.
Entries Per
Page
Tunnel No.
To set the embedded VPN feature, please select the tunnel number. It
supports up to 300 IPSec VPN tunnel Setting (gateway to gateway as
well as client to gateway).
Status
Successful connection is indicated as-(Connected).
Failing hostname resolution is indicated as - (Hostname Resolution
Failed).
Resolving hostname is indicated as -(Resolving Hostname)
Waiting to be connected is indicated as - (Waiting for Connection).
If users select Manual setting for IPSec setup, the status message will
display as ―Manual‖ and there is no Tunnel test function available for
this manual setting.
Account ID
Displays the current VPN tunnel connection name, such as XXX
Office. Users are well-advised to give them different names to avoid
119
SSL/IPSec VPN Firewall
confusion should users have more than one tunnel settings.
Note: If this tunnel is to be connected to other VPN device (not this
device), some device requires that the tunnel name is identical to the
name of the host end to facilitate verification. This tunnel can thus be
successfully enabled.
Phase2
Displays settings such as encryption (DES/3DES), authentication
Encrypt/Auth/Group
(MD5/SHA1) and Group (1/2/5).
If users select Manual setting for IPSec, Phase 2 DH group will not
display.
Local Group
Displays the setting for VPN connection secure group of the local end.
Remote Group
Displays the setting for remote VPN connection secure group.
Remote Gateway
Set the IP address to connect the remote VPN device. Please set the
VPN device with a valid IP address or domain name.
Control
Click “Connect” to verify the tunnel status. The test result will be
updated. To disconnect, click “Disconnect” to stop the VPN
connection.
Config.
Setting items include Edit and Delete icon.
Click on Edit to enter the setting items and users may change the
settings. Click on the trash bin icon
and all the tunnel settings will
be deleted.
__ Tunnel(s) Enabled:
This displays how many tunnels are enabled and how many tunnels
are set.
__ Tunnel(s) Defined:
VPN Group Tunnel Status：
If there is no setting for Group VPN, there will be no display of VPN Group status.
Group Name
Displays the tunnel name of the Group VPN that is connected.
120
SSL/IPSec VPN Firewall
Connected Tunnels
Displays the VPN Groups tunnel numbers.
Phase2
Encrypt/Auth/DH
Displays settings such as encryption (DES/3DES), authentication
(MD5/SHA1) and Group (1/2/5).
If users select Manual setting for IPSec, Phase 2 DH group will not be
displayed.
Local Group
Displays the VPN connection secure setting for the local group.
Remote Client
Displays the name of this group for remote VPN Connection secure group
setting.
Remote Client Status
Click on Detail List, and more information such as Group Name, IP
address and the connection time will be displayed.
Control
Click Connect to verify the status of the tunnel. The test result will be
updated in this status.
Config.
As illustrated below, configurations include Edit and Delete
icon. Click
on Edit to enter the setting items to be changed. Click on the trash bin icon
, and all the tunnel settings will be deleted.
10.1.2. Add a New VPN Tunnel
The device supports Gateway to Gateway tunnel or Client to Gateway tunnel.
The VPN tunnel connections are done by 2 VPN devices via the Internet. When a new tunnel is added,
the setting page for Gateway to Gateway or Client to Gateway will be displayed.
Gateway to Gateway:
Click ―Add‖ to enter the setting page of Gateway to Gateway.
121
SSL/IPSec VPN Firewall
Client to Gateway:
Click ―Add‖ to enter the setting page of Client to Gateway.
122
SSL/IPSec VPN Firewall
10.1.2.1. Gateway to Gateway Setting
The following instructions will guide users to set a VPN tunnel between two devices.
Tunnel No.
Set the embedded VPN feature, please select the Tunnel number.
Tunnel Name
Displays the current VPN tunnel connection name, such as XXX Office. Users
are well-advised to give them different names to avoid confusion.
Note: If this tunnel is to be connected to the other VPN device, some device
requires that the tunnel name is identical to the name of the host end to facilitate
verification. This tunnel can thus be successfully enabled.
Interface
From the pull-down menu, users can select the Interface for this VPN tunnel.
Enabled
Click to activate the VPN tunnel. This option is set to activate by default.
Afterwards, users may select to activate this tunnel feature.
Local Group Setup:
This Local Security Gateway Type must be identical with that of the remote type (Remote Security
Gateway Type).
Local Security Gateway
Type
This local gateway authentication type comes with five operation
modes, which are:
IP only IP + Domain Name (FQDN) Authentication
IP + E-mail Addr. (USER FQDN) Authentication
123
SSL/IPSec VPN Firewall
Dynamic IP + Domain Name (FQDN) Authentication
Dynamic IP + E-mail Addr. (USER FQDN) Authentication.
Dynamic IP address + Email address name
(1) IP only:
If users decide to use IP only, entering the IP address is the only way
to gain access to this tunnel. The WAN IP address will be
automatically filled into this space. Users don't need to do further
settings.
(2) IP + Domain Name(FQDN)
Authentication:
If users select IP + domain name type, please enter the domain name
and IP address. The WAN IP address will be automatically filled into
this space. Users don't need to do further settings. FQDN refers to the
combination of host name and domain name and can be retrieved
from the Internet, i.e. vpn.server.com. This IP address and domain
name must be identical to those of the VPN secure gateway setting
type to establish successful connection.
(3) IP + E-mail Addr. (USER FQDN) Authentication.
If users select IP address and E-mail, enter the IP address and E-mail
address to gain access to this tunnel and the WAN IP address will be
automatically filled into this space. Users don't need to do further
settings.
(4) Dynamic IP + Domain Name(FQDN) Authentication:
124
SSL/IPSec VPN Firewall
If users use dynamic IP address to connect to the device, users may
select this option to link to VPN. If the remote VPN gateway requires
connection to the device for VPN connection, this device will start
authentication and respond to this VPN tunnel connection; if users
select this option to link to VPN, please enter the domain name.
(5) Dynamic IP + E-mail Addr. (USER FQDN) Authentication.
If users use dynamic IP address to connect to the device, users may
select this option to connect to VPN without entering IP address.
When VPN Gateway requires for VPN connection, the device will start
authentication and respond to VPN tunnel connection; If users select
this option to link to VPN, enter E-Mail address to the empty field for
E-Mail authentication.
Local Security Group
Type
This option allows users to set the local VPN connection access type.
The following offers a few items for local settings. Please select and
set appropriate parameters:
1. IP address
This option allows the only IP address which is entered to build
the VPN tunnel.
Reference: When this VPN tunnel is connected, computers with the
IP address of 192.168.1.0 can establish connection.
2. Subnet
This option allows local computers in this subnet can be connected to
the VPN tunnel.
125
SSL/IPSec VPN Firewall
Reference: When this VPN tunnel is connected, only computers with
the session of 192.168.1.0 and with subnet mask as 255.255.255.0
can connect with remote VPN.
3. IP Range
This option allows connection only when IP address range which is
entered after the VPN tunnel is connected.
Reference: When this VPN tunnel is connected, computers with the IP
address of 192.168.1.0 ~254 can establish connection.
Remote Group Setup:
This remote gateway authentication type (Remote Security Gateway Type) must be identical to the
remotely-connected local security gateway authentication type (Local Security Gateway Type).
Remote Security Gateway This remote gateway authentication type comes with five operation
modes, which are:
Type
IP only-Authentication by use of IP only
IP + Domain Name (FQDN) Authentication, -IP + Domain name
IP + E-mail Addr. (USER FQDN) Authentication, -IP + Email
address
Dynamic IP + Domain Name (FQDN) Authentication, -Dynamic IP
address + Domain name
Dynamic IP + E-mail Addr. (USER FQDN) Authentication.
Dynamic IP address + Email address name
(1) IP only:
126
SSL/IPSec VPN Firewall
If users select the IP Only type, entering this IP allows users to gain
access to this tunnel.
If the IP address of the remote client is unknown, choose IP by DNS
Resolved, allowing DNS to translate IP address. When users finish
the setting, the corresponding IP address will be displayed under the
remote gateway of Summary.
Or users can choose IP by Multiple DNS Resolved, and IP address
can be translated through DNS. When users finish the setting, the
corresponding IP address will be displayed under the remote
gateway of Summary.
(2) IP + Domain Name(FQDN) Authentication:
If users select IP + domain name, please enter IP address and the
domain name to be verified. FQDN refers to the combination of host
name and domain name. Users may enter any name that
corresponds to the domain name of FQDN. This IP address and
domain name must be identical to those of the remote VPN security
gateway setting type to establish successful connection.
If the remote IP address is unknown, choose IP by DNS Resolved,
allowing DNS to translate the IP address. This domain name must
be available on the Internet. When users finish the setting, the
127
SSL/IPSec VPN Firewall
corresponding IP address will be displayed under the remote
gateway of Summary.
Or users can choose IP by Multiple DNS Resolved, and IP address
can be translated through DNS. When users finish the setting, the
corresponding IP address will be displayed under the remote
gateway of Summary.
(3) IP + E-mail Addr. (USER FQDN) Authentication:
If users select IP address and E-mail type, entering the IP address
and the E-mail allows users to gain access to this tunnel.
If the remote IP address is unknown, choose IP by DNS Resolved,
allowing DNS to translated the IP address. This domain name must
be available on the Internet. When users finish the setting, the
corresponding IP address will be displayed under the remote
gateway of Summary.
128
SSL/IPSec VPN Firewall
Or users can choose IP by Multiple DNS Resolved, and IP address
can be translated through DNS. When users finish the setting, the
corresponding IP address will be displayed under the remote
gateway of Summary.
(4) Dynamic IP + Domain Name(FQDN) Authentication:
If users use dynamic IP address to connect with the device, users
may select the combination of the dynamic IP address, host name
and domain name.
(5) Dynamic IP + E-mail Addr. (USER FQDN) Authentication.
If users use dynamic IP address to connect with the device, users
may select this type to link to VPN. When the remote VPN gateway
requires connection to facilitate VPN connection, the device will start
authentication and respond to the VPN tunnel connection; Please
enter the E-Mail to the empty space.
129
SSL/IPSec VPN Firewall
Remote Security Group
Type
This option allows users to set the remote VPN connection access
type. The following offers a few items for remote settings. Please
select and set appropriate parameters:
(1) IP address
This option allows the only IP address which is entered to build the
VPN tunnel.
Reference: When this VPN tunnel is connected, computers with the
IP address of 192.168.2.1 can establish connection.
(2) Subnet
This option allows local computers in this subnet can be connected
to the VPN tunnel.
Reference: When this VPN tunnel is connected, only computers
with the session of 192.168.2.0 and with subnet mask as
255.255.255.0 can connect with remote VPN.
(3) IP Address Range
This option allows connection only when IP address range which is
entered after the VPN tunnel is connected.
Reference: When this VPN channel is connected, computers with
the IP address range between 192.168.2.1 and 192.168.1.254 can
establish connection.
IPSec Setup
If there is any encryption mechanism, the encryption mechanism of these two VPN tunnels must be
identical in order to create connection. And the transmission data must be encrypted with IPSec key, which is
known as the encryption "key". The device provides the following two encrypted Key Managements. They are
130
SSL/IPSec VPN Firewall
Manual and IKE automatic encryption mode- IKE with Preshared Key (automatic). By using the drop down
menu, select the desired encryption mode as illustrated below.
Encryption Management Protocol:
When users set this VPN tunnel to use any encryption and authentication mode, users must set the
parameter of this exchange password with that of the remote. Setting methods include Auto (IKE) or Manual.
To do the settings, select any one from the two options.
131
SSL/IPSec VPN Firewall
Use IKE Protocol:
Click the shared key generated by IKE to encrypt and authenticate the remote user. If PFS (Perfect
Forward Secrecy) is enabled, the Phase 2 shared key generated during the IKE coordination will conduct
further encryption and authentication. When PFS is enabled, hackers using brute force to capture the key will
not be able to get the Phase 2 key in such a short period of time.

Perfect Forward Secrecy: When users check the PFS option, don't forget to activate the PFS
function of the VPN device and the VPN Client as well.

Phase 1/ Phase 2 DH Group: This option allows users to select Diffie-Hellman groups: Group
1/ Group 2/ Group 5.

Phase 1/ Phase 2 Encryption: This option allows users to set this VPN tunnel to use any
encryption mode. Note that this parameter must be identical to that of the remote encryption
parameter: DES (64-bit encryption mode), 3DES (128-bit encryption mode), AES (the standard
of using security code to encrypt information). It supports 128-bit, 192-bit, and 256-bit encryption
keys.

Phase 1/Phase 2 Authentication: This authentication option allows users to set this VPN
tunnel to use any authentication mode. Note that this parameter must be identical to that of the
remote authentication mode: ―MD5‖ or ―SHA1‖.

Phase 1 SA Life Time: The life time for this exchange code is set to 28800 seconds (or 8hours)
by default. This allows the automatic generation of other exchange password within the valid
time of the VPN connection so as to guarantee security.

Phase2 SA Life Time: The life time for this exchange code is set to 3600 seconds (or 1hours)
by default. This allows the automatic generation of other exchange password within the valid
time of the VPN connection so as to guarantee security.

Preshared Key：For the Auto (IKE) option, enter a password of any digit or characters in the text
of ―Pre-shared Key‖ (the example here is set as test), and the system will automatically translate
what users entered as exchange password and authentication mechanism during the VPN
tunnel connection. This exchange password can be made up of up to 30 characters.
132
SSL/IPSec VPN Firewall
Manual Mode (Future Feature)
If the Manual mode is selected, users need to set encryption key manually without negotiation.
●
It is divided into two types: ―Encryption KEY‖ and ―Authentication KEY‖. Users may enter an
exchange password made up of either digits or characters. The systems will automatically
translate what users entered into the exchange password and authentication mechanism during
the VPN tunnel connection. This exchange password can be made up of digits and characters
up to 23.
●
Moreover, the exchange strings for ―Incoming SPI‖ and ―Outgoing SPI‖ must be identical to
those of the connected VPN device. For the Incoming SPI parameters, users must set it the
same with the Outgoing SPI string of the remote VPN device. And the Outgoing SPI string must
be the same with the incoming SPI string of the remote VPN device.
133
SSL/IPSec VPN Firewall
Advanced Setting- for IKE Protocol Only
The advanced settings include Main Mode and Aggressive mode. For the Main mode, the default setting
is set to VPN operation mode. The connection is the same to most of the VPN devices.
●
Aggressive Mode: This mode is mostly adopted by remote devices. The IP connection is
designed to enhance the security control if dynamic IP is used for connection.
●
Use IP Header Compression Protocol: If this option is selected, in the connected VPN tunnel,
the device supports IP Payload Compression Protocol.
●
Keep Alive: If this option is selected, VPN tunnel will keep this VPN connection. This is mostly
used to connect the remote node of the branch office and headquarter or used for the remote
dynamic IP address.
●
AH hash calculation: For AH (Authentication Header), users may select MD5/DSHA-1.
●
NetBIOS Broadcast: If this option is selected, the connected VPN tunnel allows the passage of
NetBIOS broadcast packet. This facilitates the easy connection with other Microsoft network;
however, the traffic using this VPN tunnel will increase.
●
Dead Peer Detection (DPD): If this option is selected, the connected VPN tunnel will regularly
transmit HELLO/ACK message packet to detect whether there is connection between the two
ends of the VPN tunnel. If one end is disconnected, the device will disconnect the tunnel
automatically and then create new connection. Users can define the transmission time for each
DPD message packet, and the default value is 10 seconds.
134
SSL/IPSec VPN Firewall
10.1.2.2. Client to Gateway Setting
The following describes how an administrator builds a VPN tunnel between devices. Users can set this
VPN tunnel to be used by one client or by a group of clients (Group VPN) at the client end. If it is used by a
group of clients, the individual setting for remote clients can be reduced. Only one tunnel will be set and used
by a group of clients, which allows easy setting.
Situation in Tunnel：
Tunnel No.
Set the embedded VPN feature, please select the Tunnel number.
Displays the current VPN tunnel connection name, such as XXX Office.
Users are well-advised to give them different names to avoid confusion.
Tunnel Name
Interface
Note: If this tunnel is to be connected to the other VPN device, some
device requires that the tunnel name is identical to the name of the host
end to facilitate verification. This tunnel can thus be successfully enabled.
Users may select which port to be the node for this VPN channel. They
can be applied for VPN connections.
Enabled
Click to Enable to activate the VPN tunnel. This option is set to Enable
by default. After users set up, users may select to activate this tunnel
feature.
Local Group Setup
This local gateway authentication type (Local Security Gateway Type) must be identical with that of the
remote type (Remote Security Gateway Type).
Local Security Gateway
This local gateway authentication type comes with five operation
modes, which are:
135
SSL/IPSec VPN Firewall
Type
IP only - Authentication by the use of IP only
IP + Domain Name (FQDN) Authentication, -IP + Domain name
IP + E-mail Addr. (USER FQDN) Authentication,-IP + Email
address
Dynamic IP + Domain Name (FQDN) Authentication, -Dynamic
IP address + Domain name
Dynamic IP + E-mail Addr. (USER FQDN) Authentication.
Dynamic IP address + Email address name
(1) IP only:
If users decide to use IP only, entering the IP address is the only
way to gain access to this tunnel. The WAN IP address will be
automatically filled into this space. Users don't need to do further
settings.
(2) IP + Domain Name(FQDN)
Authentication:
If users select IP + domain name type, please enter the domain
name and IP address. The WAN IP address will be automatically
filled into this space. Users don't need to do further settings. FQDN
refers to the combination of host name and domain name and can
be retrieved from the Internet, i.e. vpn.server.com. This IP address
and domain name must be identical to those of the VPN secure
gateway setting type to establish successful connection.
(3) IP + E-mail Addr. (USER FQDN) Authentication.
If users select IP address and E-mail, enter the IP address and
E-mail address to gain access to this tunnel and the WAN IP
address will be automatically filled into this space. Users don't need
to do further settings.
136
SSL/IPSec VPN Firewall
(4) Dynamic IP + Domain Name(FQDN) Authentication:
If users use dynamic IP address to connect to the device, users may
select this option to link to VPN. If the remote VPN gateway requires
connection to the device for VPN connection, this device will start
authentication and respond to this VPN tunnel connection; if users
select this option to link to VPN, please enter the domain name.
(5) Dynamic IP + E-mail Addr. (USER FQDN) Authentication.
If users use dynamic IP address to connect to the device, users may
select this option to connect to VPN without entering IP address.
When VPN Gateway requires for VPN connection, the device will
start authentication and respond to VPN tunnel connection; if users
select this option to link to VPN, enter E-Mail address to the empty
field for E-Mail authentication.
Local Security Group
Type
This option allows users to set the local VPN connection access
type. The following offers a few items for local settings. Please
select and set appropriate parameters:
4. IP address
This option allows the only IP address which is entered to build
the VPN tunnel.
Reference: When this VPN tunnel is connected, computers with the
IP address of 192.168.1.0 can establish connection.
137
SSL/IPSec VPN Firewall
5. Subnet
This option allows local computers in this subnet to be connected to
the VPN tunnel.
Reference: When this VPN tunnel is connected, only computers
with the session of 192.168.1.0 and with subnet mask as
255.255.255.0 can connect with remote VPN.
6. IP Range
This option allows connection only when IP address range which is
entered after the VPN tunnel is connected.
Reference: When this VPN tunnel is connected, computers with the
IP address of 192.168.1.0 ~254 can establish connection.
Remote Group Setup:
This remote gateway authentication type (Remote Security Gateway Type) must be identical to the
remotely-connected local security gateway authentication type (Local Security Gateway Type).
Remote Security Gateway This local gateway authentication type comes with five operation
modes, which are:
Type
IP only
IP + Domain Name (FQDN) Authentication
IP + E-mail Addr. (USER FQDN) Authentication Dynamic IP +
Domain Name (FQDN) Authentication
Dynamic IP + E-mail Addr. (USER FQDN) Authentication
138
SSL/IPSec VPN Firewall
(1) IP only:
If users decide to use IP only, entering the IP address is the only
way to gain access to this tunnel. The WAN IP address will be
automatically filled into this space. Users don't need to do further
settings.
(2) IP + Domain Name(FQDN)
Authentication:
If users select IP + domain name type, please enter the domain
name and IP address. The WAN IP address will be automatically
filled into this space. Users don't need to do further settings. FQDN
refers to the combination of host name and domain name and can
be retrieved from the Internet, i.e. vpn.server.com. This IP address
and domain name must be identical to those of the VPN secure
gateway setting type to establish successful connection.
(3) IP + E-mail Addr. (USER FQDN) Authentication.
If users select IP address and E-mail, enter the IP address and
E-mail address to gain access to this tunnel and the WAN IP
address will be automatically filled into this space. Users don't need
to do further settings.
(4) Dynamic IP + Domain Name(FQDN) Authentication:
If users use dynamic IP address to connect to the device, users may
select this option to link to VPN. If the remote VPN gateway requires
connection to the device for VPN connection, this device will start
139
SSL/IPSec VPN Firewall
authentication and respond to this VPN tunnel connection; if users
select this option to link to VPN, please enter the domain name.
(5) Dynamic IP + E-mail Addr. (USER FQDN) Authentication.
If users use dynamic IP address to connect to the device, users may
select this option to connect to VPN without entering IP address.
When VPN Gateway requires for VPN connection, the device will
start authentication and respond to VPN tunnel connection; if users
select this option to link to VPN, enter E-Mail address to the empty
field for E-Mail authentication.
IPSec Setup
If there is any encryption mechanism, the encryption mechanism of these two VPN tunnels must be
identical in order to create connection. And the transmission data must be encrypted with IPSec key, which is
known as the encryption "key". The device provides the following two encrypted Key Managements. They are
Manual and IKE automatic encryption mode- IKE with Preshared Key (automatic). By using the drop down
menu, select the desired encryption mode as illustrated below.
140
SSL/IPSec VPN Firewall
Encryption Management Protocol:
When users set this VPN tunnel to use any encryption and authentication mode, users must set the
parameter of this exchange password with that of the remote. Setting methods include Auto (IKE) or Manual.
To do the settings, select any one from the two options.
IKE Protocol:
Click the shared key generated by IKE to encrypt and authenticate the remote user. If PFS (Perfect
Forward Secrecy) is enabled, the Phase 2 shared key generated during the IKE coordination will conduct
further encryption and authentication. When PFS is enabled, hackers using brute force to capture the key will
not be able to get the Phase 2 key in such a short period of time.

Perfect Forward Secrecy: When users check the PFS option, don't forget to activate the PFS
function of the VPN device and the VPN Client as well.

Phase 1/ Phase 2 DH Group: This option allows users to select Diffie-Hellman groups: Group
1/ Group 2/ Group 5.

Phase 1/ Phase 2 Encryption: This option allows users to set this VPN tunnel to use any
encryption mode. Note that this parameter must be identical to that of the remote encryption
141
SSL/IPSec VPN Firewall
parameter: DES (64-bit encryption mode), 3DES (128-bit encryption mode), AES (the standard
of using security code to encrypt information). It supports 128-bit, 192-bit, and 256-bit encryption
keys.

Phase 1/Phase 2 Authentication: This authentication option allows users to set this VPN
tunnel to use any authentication mode. Note that this parameter must be identical to that of the
remote authentication mode: ―MD5‖ or ―SHA1‖.

Phase 1 SA Life Time: The life time for this exchange code is set to 28800 seconds (or 8hours)
by default. This allows the automatic generation of other exchange password within the valid
time of the VPN connection so as to guarantee security.

Phase2 SA Life Time: The life time for this exchange code is set to 3600 seconds (or 1hours)
by default. This allows the automatic generation of other exchange password within the valid
time of the VPN connection so as to guarantee security.

Preshared Key：For the Auto (IKE) option, enter a password of any digit or characters in the text
of ―Pre-shared Key‖ (the example here is set as test), and the system will automatically translate
what users entered as exchange password and authentication mechanism during the VPN
tunnel connection. This exchange password can be made up of up to 30 characters.
Manual Mode (Future Feature)
If the Manual mode is selected, users need to set encryption key manually without negotiation.
●
It is divided into two types: ―Encryption KEY‖ and ―Authentication KEY‖. Users may enter an
exchange password made up of either digits or characters. The systems will automatically
translate what users entered into the exchange password and authentication mechanism during
the VPN tunnel connection. This exchange password can be made up of digits and characters
142
SSL/IPSec VPN Firewall
up to 23.
●
Moreover, the exchange strings for ―Incoming SPI‖ and ―Outgoing SPI‖ must be identical to
those of the connected VPN device. For the Incoming SPI parameters, users must set it the
same with the Outgoing SPI string of the remote VPN device. And the Outgoing SPI string must
be the same with the incoming SPI string of the remote VPN device.
Advanced Setting- for IKE Preshareed Key Only
The advanced settings include Main Mode and Aggressive mode. For the Main mode, the default setting
is set to VPN operation mode. The connection is the same to most of the VPN devices.
●
Aggressive Mode: This mode is mostly adopted by remote devices. The IP connection is
designed to enhance the security control if dynamic IP is used for connection.
●
Use IP Header Compression Protocol: If this option is selected, in the connected VPN tunnel,
the device supports IP Payload Compression Protocol.
●
Keep Alive: If this option is selected, VPN tunnel will keep this VPN connection. This is mostly
used to connect the remote node of the branch office and headquarter or used for the remote
dynamic IP address.
●
AH hash calculation: For AH (Authentication Header), users may select MD5/DSHA-1.
●
NetBIOS Broadcast: If this option is selected, the connected VPN tunnel allows the passage of
NetBIOS broadcast packet. This facilitates the easy connection with other Microsoft network;
however, the traffic using this VPN tunnel will increase.
143
SSL/IPSec VPN Firewall
●
Dead Peer Detection (DPD): If this option is selected, the connected VPN tunnel will regularly
transmit HELLO/ACK message packet to detect whether there is connection between the two
ends of the VPN tunnel. If one end is disconnected, the device will disconnect the tunnel
automatically and then create new connection. Users can define the transmission time for each
DPD message packet, and the default value is 10 seconds
Situation in Group VPN: (Future Feature)
Group No.
Two Group VPN settings at most.
Group Name
Displays the current VPN tunnel connection name, such as XXX
Office. Users are well-advised to give them different names to avoid
confusion.
Note: If this tunnel is to be connected to other VPN device, some
device requires that the tunnel name is identical to the name of the host
end to facilitate verification. This tunnel can thus be successfully
enabled.
Interface
From the pull-down list, users can select the Interface for this VPN
tunnel.
Enabled
Click to Enabled the VPN tunnel. This option is set to Enabled by
default. After the set up, users may select to activate this tunnel
feature.
Local Group Setup:
Local Security Group This option allows users to set the local VPN connection access type.
The following offers a few items for local settings. Please select and
Type
set appropriate parameters:
144
SSL/IPSec VPN Firewall
7. IP address
This option allows the only IP address which is entered to build
the VPN tunnel.
Reference: When this VPN tunnel is connected, computers with the
IP address of 192.168.1.0 can establish connection.
8. Subnet
This option allows local computers in this subnet can be connected to
the VPN tunnel.
Reference: When this VPN tunnel is connected, only computers with
the session of 192.168.1.0 and with subnet mask as 255.255.255.0
can connect with remote VPN.
9. IP Range
This option allows connection only when IP address range which is
entered after the VPN tunnel is connected.
Reference: When this VPN tunnel is connected, computers with the
IP address of 192.168.1.0 ~254 can establish connection.
Remote Group Setup
Remote Security client This setting offers three operation modes, which are:
Type
Domain Name (FQDN)
E-mail Address (USER FQDN)
145
SSL/IPSec VPN Firewall
Microsoft XP/2000 VPN Client
(1) Domain Name(FQDN)
If users select Domain Name type, please enter the domain name
to be authenticated. FQDN refers to the combination of host name
and domain name that are available on the Internet (i.e.
vpn.Server.com).The domain name must be identical to the status
setting of the client end to establish successful connection.
(2) E-mail Addr. (USER FQDN)
If users select this option, only filling in the E-mail address allows
access to this tunnel.
(3) Microsoft XP/2000 VPN Client
If users select XP/2000 VPN Client end status, users don't need to
do extra settings.
IPSec Setup
If there is any encryption mechanism, the encryption mechanism of these two VPN channel settings must
be identical in order to establish connection. And the transmission data must be encrypted with IPSec key,
which is also known as the encryption "key". The device provides the following two types of encryption
management modes: Manual and IKE automatic encryption mode- IKE with Preshared Key (automatic). If the
Group VPN is selected or the dynamic IP address of the Remote Security Gateway Type is applied,
Aggressive Mode will be enabled automatically without the option of Manual mode.
146
SSL/IPSec VPN Firewall
Encryption Management Protocol:

Perfect Forward Secrecy: When users check the PFS option, make sure to activate the PFS
feature of the VPN device and that VPN Client as well.

Phase 1/Phase 2 DH Group: This option allows users to select Diffie-Hellman groups: Group 1/
Group 2/ Group 5.

Phase1/Phase2 Encryption: This option allows users to set this VPN channel to use any
encryption mode. Note that this parameter must be identical to that of the remote encryption
parameter: DES (64 - bit encryption mode), 3DES (128-bit encryption mode), AES (the standard
of using security code to encrypt information). It supports 128-bit, 192-bit, and 256-bit encryption
keys.

Phase 1/Phase 2 Authentication: This authentication option allows users to set this VPN
tunnel to use any authentication mode. Note that this parameter must be identical to that of the
remote authentication mode: ―MD5‖ or ―SHA1‖.

Phase1 SA Life Time: The life time for this exchange code is 28800 seconds (or 8 hours) by
default. This allows the automatic generation of other exchange passwords within the valid time
of the VPN connection so as to guarantee security.

Phase2 SA Life Time: The life time for this exchange code is 3600 seconds (or 1 hour) by
147
SSL/IPSec VPN Firewall
default. This allows the automatic generation of other exchange passwords within the valid time
of the VPN connection so as to guarantee security.

Preshared Key: For the Auto (IKE) option, enter a password of any digit or character in the text
of ―Pre-shared Key‖ (the example here is set as test), and the system will automatically translate
what users entered as exchange password and authentication mechanism during the VPN
tunnel connection. This exchange password can be made up of up to 30 characters.
Advanced Setting-for IKE Preshared Key Only
The advanced settings include Main Mode and Aggressive mode. In Main mode, the default setting is
VPN operation mode. The connection is the same as most of the VPN device.
●
Aggressive Mode: This mode is mostly adopted by remote devices. The IP connection is
designed to enhance the security control if dynamic IP is used for connection.
●
Use IP Header Compression Protocol: If this option is selected, in the connected VPN tunnel,
the device supports IP Payload compression Protocol.
●
Keep Alive: If this option is selected, VPN channel will keep this VPN connection. This is mostly
used to connect the remote node of the branch office and headquarter or used for the remote
dynamic IP address.
●
AH Hash Calculation: For AH (Authentication Header), users may select MD5/DSHA-1.
●
NetBIOS Broadcast: If this option is selected, the connected VPN tunnel allows the passage of
NetBIOS broadcast packet. This facilitates the easy connection with other Microsoft Network
Neighborhoods; however, the traffic using this VPN tunnel will increase.
●
Dead Peer Detection (DPD): If this option is selected, the connected VPN tunnel will regularly
148
SSL/IPSec VPN Firewall
transmit HELLO/ACK message packet to detect whether there is connection between the two
ends of the VPN tunnel. If one end is disconnected, the device will disconnect the tunnel
automatically and then create new connection. Users can define the transmission time for each
DPD message packet, and the default value is 10 seconds
10.1.3. PPTP Setting
It supports the PPTP of Window XP/ 2000 to create point-to-point tunnel protocol for single- device users
to create VPN connection.
149
SSL/IPSec VPN Firewall
Enabled PPTP Server
When this option is selected, the point-to-point tunnel protocol PPTP
server can be enabled.
PPTP Client IP Range
Please enter PPTP IP address range so as to provide the remote
users with an entrance IP into the local network. Enter Range Start:
Enter the value into the last field. Enter Range End: Enter the value
into the last field.
Username
Please enter the name of the remote user.
Password
Enter the password and confirm again by entering the new password.
Confirm Password
150
SSL/IPSec VPN Firewall
Add to list
Add a new account and password.
Delete selected item
Delete Selected Item.
All PPTP Status: Displays all successfully connected users, including username, remote IP address, and
PPTP address.
151
SSL/IPSec VPN Firewall
10.1.4. VPN Pass Through
IPSec Pass Through
If this option is enabled, the PC is allowed to use VPN-IPSec
packet to pass in order to connect to external VPN device.
Fixed Source Port
This option is only required when having VPN connection with
(Future Feature)
Cisco VPN Server and Client. Because VPN Server does not
accept two connections with the same IP and same source port,
Change Source Port
(Future Feature)
the second connection needs to change source port from UDP
500 to the other random port. If choosing Fixed Source Port, the
second connection will still keep the connection with UDP 500.
PPTP Pass Through
If this option is enabled, the PC is allowed to use VPN- PPTP
packet to pass in order to connect with external VPN device.
L2TP Pass Through
If this option is enabled, the PC end is allowed to use VPNL2TP packet to pass in order to connect with external VPN
device.
After modification, push “Apply” button to save the network setting or push “Cancel” to keep the
settings unchanged.
152
SSL/IPSec VPN Firewall
10.2. QnoKey
Introduces how Qno VPN devices conducts preliminary configuration of the data from the user end and
how to set the QnoKey user to successfully create QnoKey by using QnoKey management software.
10.2.1. QnoKey Summary
Login to the web-based UI and click on the QnoKey menu to display the page that summarizes the
current status information of QnoKey, as illustrated below：
QnoKey Tunnel Number
Displays how many tunnels are applied and the total tunnel number of
QnoKey tunnel. Through advanced setting, users can set the tunnel
number of IPSec and QnoKey.
Enabled
Displays whether QnoKey username is enabled.
Account ID
Displays the user name group of QnoKey.
Local IP Address
Server IP address or the applied domain name.
(Domain Name)
Life Time
The present valid time of QnoKey; permanent use is displayed as
Forever.
Available Time
If the number of days of using QnoKey is set, the remaining time is
displayed here.
153
SSL/IPSec VPN Firewall
Account Number
The upper limited number of QnoKey users.
Limitation
Used Number
The number of QnoKey in use.
Online Number
Displays the number of connected devices that are using QnoKey.
Show Table
Displays the list of all QnoKey users.
Delete
Deletes one user name group setting rule.
Goes to the page where summarized information is needed.
Go to
page
Each summary page displays several group messages.
Entries per page
Add Qnokey Group
Add new group settings.
Delete All Group
Delete all the group settings.
10.2.2 Qnokey Group Setup
Press Add New Qnokey Group to enter Group Setup page, as illustrated below.
This page is designed for QnoKey group setup. Group parameters for QnoKey include WAN ports, valid
154
SSL/IPSec VPN Firewall
time, and number of users, and protection actions for potential QnoKey losses. These setting options facilitate
classified management for QnoKey users and enhance security.
Enable this rule
Select this option to activate this setting rule.
Group Account ID
Enter the QnoKey group name that users would like to set up.
Interface
Select WAN port and enter the correct IP address which
corresponds to WAN port or the domain name (analyzed by
DDNS).If WAN ports are empty, IP entry is not necessary so
that VPN connection will not fail. This option allows users to
select which WAN port to make connection, facilitating
management. If WAN1 is selected, QnoKey group users can
connect through only WAN1. If both WAN 1and WAN 2 are
selected, QnoKey group users are allowed to make
connection via WAN 1or WAN 2. When WAN1 is
disconnected, WAN2 will be automatically connected to back
up VPN connection.
Note：
 If WAN port is selected and the network connection type is
set as static IP, the system will automatically display this
WAN IP. Administrator does not need to enter it
manually.
 If WAN port is selected and the network connection is set
to other types such as DHCP/PPPoE, administrator needs
to enter the IP address or domain name (through DDNS
analysis).
Life Time
Set the valid time for QnoKey group. If the QnoKey is for
normal and frequent use, the option "Forever" may be
selected so the user end valid time is infinite. If the user is
more complicated or if it is meant for mobile users who travel
on business, the VPN security can be guaranteed by setting
the valid time of QnoKey as "1~99" days according to the
155
SSL/IPSec VPN Firewall
desired number of days to be set.
Account Number
Limitation
Set the maximum number of QnoKey users (from "1~100‖)
allowed by the group setting rules.
Stolen Key Login
Action
In the drop-down list, select operation options for the missing
QnoKey.
In the event of losing QnoKey, there are three options for
selection: ―Do Nothing‖, ―Clear Key,‖ and ―Lock Key". Setting
this feature on QnoKey can enhance VPN security. Select
"Do Nothing" to do no change after the Key is lost. Select
"Clear Key" to clean up the QnoKey settings when the VPN
connection is established again after the QnoKey is lost.
Select "Block Key" to block the VPN connection after the
QnoKey is lost.
Press "Apply" to confirm the group settings and press "Cancel" to cancel the setting. Press "Back" to
return the previous page.
Pressing "Apply" to display a dialog box in which it will ask if users want to continue to add new setting
group. Click "Ok" to add another group setting or "Cancel" to return to the QnoKey Summary page. It is
illustrated as below.
On the QnoKey Summary page, the defined group will be displayed, which is illustrated as below.
156
SSL/IPSec VPN Firewall
When a new rule is created, "Show List" and "Edit" button will be displayed behind the rule. Click on
"Show List" to show the list of users applying this group rule. Click "Edit" to change settings. Click the trash
can icon
to delete this setting.
10.2.3 Qnokey Account List
Click "Show List‖ to show the Account List page applying this rule.
Group Account ID
Displays the group ID to which the user belongs to.
Enabled
Click this option to activate QnoKey user.
QnoKey SN
Displays the QnoKey serial number.
User Name
Displays the QnoKey user name.
Status
Displays the QnoKey connection status. ―Connect‖ means the
user is connected and online; ―Disconnect" means no connection
and offline.
157
SSL/IPSec VPN Firewall
Stolen Key Login
Select this option to create settings if the QnoKey is lost.
Action
Bind MAC
If there is hardware binding, QnoKey can only execute on the
bound PC.
MAC Address
If hardware binding function is enabled, it will show the MAC
address which Qnokey is bound with, not the PC MAC address.
Delete
Delete the user Qnokey connection information.
158
SSL/IPSec VPN Firewall
10.3. QVM VPN Function Setup
The QVM-series device provides three major convenient functions:
1. Smart Link IPSec VPN: Easy VPN setup replaces the conventional complicated VPN setup
process by entering Server IP, User Name, and Password.
2. Central Control Feature: Displays a clear VPN connection status of all remote ends and
branches. Its central control screen allows setup from remote into external client ends.
3. VPN Disconnection Backup: Solves data transmission problem arising from failed ISP
connection with remote ends or the branches.
10.3.1. QVM Server Settings
Select QVM Feature as Server mode:
159
SSL/IPSec VPN Firewall
Account ID
Must be identical to that of the remote client end.
Please enter the remote client user name in either English or Chinese.
Password
Must be identical to that of the remote client end.
Confirm Password
Please enter the password and confirm again.
IP Address
Refers to the specific network IP address and subnet mask, which has to
Subnet Mask
VPN Hub Function
build connection with the remote client end.
After branch and headquarter are connected, branches can access each
other easily without having other tunnels.
Enabled
Enable this account.
Add to list
Add a new account and password.
Delete selected item
Delete the selected user.
160
SSL/IPSec VPN Firewall
After modification, push “Apply” button to save the network setting or push “Cancel” to keep the
settings unchanged.
10.3.2. QVM Status
Account
Displays the remote client user.
Green means connection, blue waiting for connection and red for QVM
disconnection.
Status
Displays the QVM VPN connection status.
Red means disconnection and green means connection.
Interface
Shows which WAN port is applied to connect to this remote QVM.
Start Time
Shows the starting time of QVM.
End Time
Shows the ending time of QVM.
Duration
Shows the total time used from the Start to the End of this QVM.
Control
Shows the status of this QVM: waiting for connection (Waiting), stop the
connection (Disconnect), and Disable this feature/ Enable this QVM to enter
the status of waiting for connection.
Config.
Click Edit to enter the setting items to be changed.
161
SSL/IPSec VPN Firewall
10.3.3. QVM Client Settings (Future Feature)
Select QVM feature as Client mode:
Account ID
Must be identical to that of the server account ID.
Password
Must be identical to that of the server password.
Confirm Password
Please enter the password and confirm again.
QVM VPN （ IP Address or
Input QVM VPN Server IP address or domain name.
Dynamic Domain Name）
Status
Displays QVN connection status.
Keep Alive: Redial Period
This function is to set re- connect duration if QVM contention
162
SSL/IPSec VPN Firewall
drops. The range is 1~60 mins.
Mins
QVM Backup Tunnel
You can input at most 3 backup IP addresses or domain names
for backup. Once the connection is dropped, the function will
be automatically enabled to backup the VPN connection and
ensure data transition security.
Advanced Function
In some environment, port 443 has been used, for example,
Change QVM Client’s
E-Mail Forwarding. To avoid the conflict with QVM, QVM port
Service Port
can be changed to other encryption ports, such as 10443.
After modification, press “Apply” to save the network setting or press “Cancel” to keep the settings
unchanged.
163
SSL/IPSec VPN Firewall
XI. SSL VPN
The router provides two different SSL VPNs: virtual passage SSL and full set SSL. The functions might
vary but the settings in GUI are similar.
This chapter will introduce SSL VPN settings based on full set SSL.
SSL (Secure Sockets Layer) is a protocol that ensures secure data transmission over the Internet via
HTTPS encryption; including server authentication, user authentication, and SSL data link integrity and
security. SSL VPN is an LAN application service that remote users are provided with web page security
through a SSL VPN gateway. Because SSL VPN uses a standard, built-in web browser SSL/HTTPS secure
transmission mechanism, there are no required installations or settings for clients. Clients can access remote
data via a web browser such as IE or Netscape. This simple setup requires no client software, costs less and
is highly adaptable with other networks. Administrators can also use the same ID for user ID authentication
mechanism, network access, and classification management. This prevents enterprise information’s complete
transparency and provides an increasing level of security safeguards.
11.1 Status
Block Status shows current SSL VPN users' online status.
164
SSL/IPSec VPN Firewall
Tunnel(s) Used:
Display the amount of previously set tunnels.
Tunnel(s) Available:
Display the amount of unused tunnels.
User
Display the current SSL tunnel user name.
Group
Display the name of current SSL tunnel using Group.
IP
Display current users' SSL tunnel remote IP addresses.
Login Time
Display current SSL tunnel users' login time.
User Type
Display whether the user is an administrator or a staff.
Logout
Logout when clicking on the icon.
11.2 Group Summary
Group Summary table displays group setting information. Group settings can be modified here and new
users can also be added.
Group
Display the group’s name. SSL VPN has 4 built-in groups by default (All
Users, Supervisor, Mobile User, & Branch Staff). If one group needs to
be edited, click on its name to access the group management page.
Domain
Display the authentication server name used corresponding to certain
group, which is served as Local Database by default.
User
Click "Detail" to view a specific group's user names and types.
165
SSL/IPSec VPN Firewall
Resource
Click "Detail" to view a specific group's available service resources. The
4 default group's authentication service resources are all listed in the
following service resource configuration explanation.
Delete
Click the recycle bin icon to delete a group.
Status
Display whether the group configuration is Enabled or Disabled.
Defaults for the All Users group are Enabled and for others are
Disabled.
Add New Group
Click the "Add New Group" tab, entering the group admin section to add
a new group.
11.3 Group Management
Group Management helps the web administrator organize users’ access to internal service resources in
groups. It can be configured by following 3 steps: Domain Management, User management, and Service
Resource management. In addition, SSL VPN's unique "One- Click" makes your basic configurations fast.
166
SSL/IPSec VPN Firewall
167
SSL/IPSec VPN Firewall
Group Name:
Group Name:
Display all group names in the drop down list.
Add New Group:
Click it to create a new group.
Add New Group
Group Name
Import a group name.
Submit
Click "Submit" tab to save recent changed settings; new group names
will appear in the drop down menu.
Cancel
Click "Cancel" to clear any recent changes to the settings.
Each group must follow below steps (Domain Management, User management, and Service resource
management) to complete group settings.
Step One: Domain Management
168
SSL/IPSec VPN Firewall
Domain Management is used to determine which authentication server will be used to authenticate
users at login. The default authentication server type is local database. SSL VPN supports external
authentication services and can be combined with an enterprise's current authentication server for a
simplified deployment. If no suitable authentication servers can be chosen from the list, click "Add New
Domain" to create a new one.
Assign
All authentication servers with defined settings will be displayed on Domain
Management list. You are required to choose one authentication server to be
assigned to this group. Each group can only be assigned to one type of
authentication server. Default is Local Database. If there are changes to the
domain servers designated by All Users, other groups that have yet to enable will
also be modified accordingly.
Domain Names
Display all authentication server names.
Authentication Type
Display authentication server type.
Authentication server IP
Display external authentication server IP addresses. If the Authentication Type is
Local Database, the authentication server IP address will not be displayed.
169
SSL/IPSec VPN Firewall
User Database
For external authentication servers, the user database will be: "Apply User
Database‖ and "Customize User Database".
Click "Apply User database", then there is no need to establish additional user
data, and the system will directly apply the external authentication server's
internal user database settings. As long as the users belong to this authentication
server group, they can use the group's resources.
Note: If multiple groups designate the same authentication server for users, only
one group will be able to use the built-in user database at one time. For this
reason, it is recommended that the largest group be designated to use the built-in
user database and other smaller groups use the "Customize User Database".
Select the "Customize User Database", the administrator must add a new user
to the group (See step two: User management). If users have not been set by the
administrator, users of the authentication server can still pass the authentication,
but they will not be able to access the web portal to use internal enterprise
resources.
Edit
Click on the "Edit" tab to make changes to the server addresses and
authentication domain names. Authentication server type and authentication
service name cannot be altered. If you want to change the authentication server
type and authentication service name, delete them, and then set up a new
authentication server.
Delete
Click on the recycle bin icon to delete authentication server settings.
Adding New Authentication Service
SSL VPN, in addition to Local Database, supports another 7 kinds of authentication server types:
170
SSL/IPSec VPN Firewall
Radius-PAP/CHAP/MSCHAP/MSCHSPV2, NT-Domain, Active Directory, and LDAP.
1. Local Database
Authentication Type
Select the authentication server type from the drop down menu.
Domain Names
Name the selected authentication server.
Submit
Click on the "Submit" tab to save changes
Cancel
Click "Cancel" to clear any recent changes to the settings.
2. Radius-PAP
Authentication Type
Select the authentication server type from the drop down menu.
Domain Names
Name the selected authentication server.
171
SSL/IPSec VPN Firewall
RADIUS Server
Enter authentication server address.
Secret Password
Enter the password for RADIUS.
Submit
Click on the "Submit" tab to save changes
Cancel
Click "Cancel" to clear any recent changes to the settings.
3. Radius-CHAP
Authentication Type
Select the authentication server type from the drop down menu.
Domain Names
Name the selected authentication server.
RADIUS Server
Enter authentication server address.
Secret Password
Enter the password for RADIUS.
Submit
Click on the "Submit" tab to save changes
Cancel
Click "Cancel" to clear any recent changes to the settings.
4. Radius-MSCHAP
172
SSL/IPSec VPN Firewall
Authentication Type
Select the authentication server type from the drop down menu.
Domain Names
Name the selected authentication server.
RADIUS Server
Enter authentication server address.
Secret Password
Enter the password for RADIUS.
Submit
Click on the "Submit" tab to save changes
Cancel:
Click "Cancel" to clear any recent changes to the settings.
5. Radius-MSCHAPV2
Authentication Type
Select the authentication server type from the drop down menu.
Domain Names
Name the selected authentication server.
RADIUS Server
Enter authentication server address.
Secret Password
Enter the password for RADIUS.
Submit
Click on the "Submit" tab to save changes
173
SSL/IPSec VPN Firewall
Cancel
Click "Cancel" to clear any recent changes to the settings.
6. NT-Domain
Authentication Type
Select the authentication server type from the drop down menu.
Domain Names
Name the selected authentication server.
NT Server Address
Enter the NT-Domain authentication server address.
NT Domain Name
Enter NT-Domain authentication domain name. For example, qno.com.
Submit
Click on the "Submit" tab to save changes
Cancel
Click "Cancel" to clear any recent changes to the settings.
7. Active Directory
Authentication Type
Select the authentication server type from the drop down menu.
174
SSL/IPSec VPN Firewall
Domain Name
Name the selected authentication server.
Server Address
Enter Active Directory authentication server address.
Active Directory
Enter Active Directory authentication server’s domain name. For
Domain
example, qno.com
Submit
Click on the "Submit" tab to save changes
Cancel:
Click "Cancel" to clear any recent changes to the settings.
8. LDAP
Authentication Type
Select the authentication service type you wish to use from the drop
down menu.
Domain Names
Name the selected authentication server.
Server Address
Enter authentication server address.
LDAP BaseDN*
Enter LDAP authentication server’s authentication domain name
(LDAP BaseDN*).
Submit
Click on the "Submit" tab to save changes
Cancel
Click "Cancel" to clear any recent changes to the settings.
One Click:
SSL VPN provides one-click setting. With fewest configurations, all users can use SSL tunnels to access an
open internal resource. While in "All Users" group, the authentication server settings support the current
enterprise authentication server. So all users, after being identified via the authentication server, will be
directed to the portal and can use the full range of enterprise resources. For Authentication server settings,
see step one below: Domain Management.
175
SSL/IPSec VPN Firewall
If you don't want all users to access the full range of available resources, go to "All Users" group settings to
disable or modify settings in sequential order according to the following steps.
If you want to use the one-click function, after you have added new authentication servers, complete the
setup by assigning the All Users group authentication server to the newly created authentication server.
Note: All of the users in this authentication server can link to the web portal and access all of the enterprise
resources pre-determined by administrators. Administrators do not need to define settings for step 2 (User
management) and step 3 (Service resources management).
Step 2: User Management
User Management determines who belong to this group and have the right to use the resources. Newly
added users will appear on the user list; click on "Assign to this Group" column to designate a user to this
group. If "Domain Management" is set to "Customize User Database" and when the user list does not have a
suitable user, click "Add New User" to create a new one.
176
SSL/IPSec VPN Firewall
Assign to this Group
Select a user from the user list to assign to this group. One user can be
assigned to one group only.
User Name
Display customized user name.
Please note: The built- in users of the authentication server database in
Domain Management will not display on the user list.
Edit
User
passwords
(if
Local
Database),
expiration
dates,
user
classifications, and inactive timeouts can be edited or modified, but user
authentication servers and user names cannot. If you want to modify a
user name, first delete it, and then add a new modified user name.
Delete
Delete this user.
Add New User
Click on ―Add new user‖ and the window below will pop up.
Please note: In addition to Local Database, user names and passwords must correspond to the selected
authentication server’s user names.
177
SSL/IPSec VPN Firewall
Domain Name
Display the authentication server name used by this group.
User Name
Enter authentication server’s user name.
Password
For Local Database, enter user passwords. Passwords do not need to
be entered if Local Database is not used.
Expiration Date
Enter users' permitted time limit. For example, if the expiration date is
(yyyy/mm/dd)
set to November 1, 2007, then the user will be denied beginning on
November 2, 2007 at 12: 00 AM.
User Type
If set to "Administrator", the user will login on the router management UI.
If set to "U user", the user will login on the web portal.
Please note: Only Local Database users can be set as "Administrator";
external authentication server users can only be "Users" and cannot
login on the router management UI.
178
SSL/IPSec VPN Firewall
Inactive timeout
Even though a user has logged in via the web portal, he/she will be
forced to logout (timeout) due to inactivity after 10 minutes. If a user logs
into the web portal to access enterprise resources using a SSL in an
unsafe environment, a shorter timeout time is recommended to mitigate
risk if the user is logged in but inactive.
Add to List
After completing the above settings, click on "add to list" to add newly
created user settings to the corresponding list.
Save Setting
After complete settings, click on the ―Save Setting‖ tab to save.
Cancel
Click on the ―Cancel‖ tab to cancel all unsaved settings.
Exit
Click on the ―Exit‖ tab to close the ―add new user‖ window.
Step 3: Service Resource Management:
Service resource management settings determine which enterprise resources a group's users can use.
The checked resources will be the icons which are available to the users after they have logged on to the
web portal. If users are not allowed to enter resource addresses or names, administrators can opt to not
activate that resource and bookmark the limits of users' access to resources. For example, if a company has
multiple FTP servers internally, and when FTP service is activated, then a group's users can connect through
the web portal and enter the FTP servers if they want to access. If an administrator has not activated FTP
service, but has only bookmarked one FTP, then the group's users can only access the bookmarked FTP
server.
179
SSL/IPSec VPN Firewall
Default values for each built-in user groups are shown in the following table.
Resource name/Group
All Users
Supervisor
Mobile User
Branch Staff
name
Internet Services
Telnet

SSH

FTP

Microsoft

Terminal
180


SSL/IPSec VPN Firewall
Services
Word



Excel



Power Point



Access



Outlook



IE

FrontPage

ERP




Remote Desktop
RDP5

VNC


My Network Place


Virtual Passage


Configure Bookmark for this Group
Services (Telnet, SSH, FTP) and remote desktop services (RDP5, VNC) can use group established
bookmarks. Users are not required to remember or set a server name or IP address.
Administrators can see all configured bookmarks here, which will display on a user web portal. Users
are not required to remember or set a server name or IP address; they can click to use the administrator
pre-configured resources.
181
SSL/IPSec VPN Firewall
Bookmark configured for this group:
Bookmark Name
Enter the service resource name; this name will appear on the user's
web portal as the service name.
Name or IP address
Enter the service name or IP address.
182
SSL/IPSec VPN Firewall
Service
Select a service from the drop down menu below, for example:
Telnet/SSH/FTP.
Add to List
After completing the previous steps, click on the ―Add to List‖ tab to add
the bookmark setting into the list.
Save Setting
After settings are complete, click on the ―Save Setting‖ tab to save.
Cancel
Click on the ―Cancel‖ tab to cancel all unsaved settings.
Exit
Click on the ―Exit‖ tab to close the window.
Bookmark configured for this group: Remote desktop service
Bookmark Name
Enter the service resource name; this name will appear on the user's
web portal as the service name.
Name or IP address
Enter the service name or IP address.
Service
Select remote desktop service RDP5/VNC from the drop down menu.
183
SSL/IPSec VPN Firewall
Screen Size
Configure user remote desktop screen display dimensions: 680x480,
800x600, 1027x768 or full-screen
Add to List
After completing the previous steps, click on the ―Add to List‖ tab to add
the bookmark setting into the list.
Save Setting
After complete settings, click on the ―Save Setting‖ tab to save.
Cancel
Click on the ―Cancel‖ tab to cancel all unsaved settings.
Exit
Click on the ―Exit‖ tab to close the window.
Permit Customized Bookmarks
If an administrator activates ―Permit Customized Bookmarks‖, then users should click "Add Bookmark" to
configure a service name or IP address to use that resource.
184
SSL/IPSec VPN Firewall
11.4 Domain Management
In addition to selecting 12.3 ―Group Management‖, SSL VPN can also provide authentication to display
Domain Management. All authentication services will be shown in the Domain Management list. Groups
using authentication services will be displayed according to the authentication server name.
All User Group
Supervisor
Mobile User
Branch Staff
Group
Group
Group
Step One: Domain
Management
Step 2: User
Management
Step 3: Service
Resource Management
185
SSL/IPSec VPN Firewall
Domain Name
All newly added authentication services will be displayed on the Domain
Management list.
Authentication Type
Authentication service types are displayed by authentication server
name, including: Local Database, Radius- PAP/ CHAP/ MSCHAP/
MSCHAPV2, NT-Domain, Active Directory and LDAP.
Authentication
Display configured external authentication server IP addresses.
Server IP
Group
Display authentication server group names.
Edit
Click on the ―Edit‖ tab to select an authentication server IP address and
edit authentication domain names.
Delete
Click on the ―clear‖ tab to clear the selected authentication server.
Add New Domain
See 12.3 ―Group Management‖.
11.5 User Management
In addition to selecting 12.3 Group Management to configure group settings, SSL VPN can also
provide inter-group user management. On the user management list, each authentication server will display
all self-defined users that can be appointed to groups.
All User Group
Supervisor
Mobile User
Branch Staff
Group
Group
Group
Step One: Domain
Management
Step 2: User
Management
Step 3: Service
Resource
Management
186
SSL/IPSec VPN Firewall
Domain Name
Select an authentication server to perform user management on from
the drop down menu.
Authentication Type
Displays the name of the authentication server type and also shows
default is Local Database.
User Name
Displays authentication server’s self-defined user names.
Group
Displays which group the user belongs to; from here you can modify
user groups.
Edit
User
passwords
(if
Local
Database),
expiration
dates,
user
classifications, and inactive timeouts can be edited or modified, but user
authentication servers and user names cannot. If you want to modify a
user name, first delete it, and then add a new user name. You can also
select an authentication server to edit IP address and domain name.
Delete
Click on the ―Delete‖ tab to delete selected users.
Add New User
Click on ―Add New User‖ and then the window below will pop up.
187
SSL/IPSec VPN Firewall
Please note: In addition to the local database, user names and passwords must correspond to the
selected authentication server’s user names.
Domain Name
Displays the authentication server name.
User Name
Enter authentication server’s user names.
Password
For Local Database, enter user passwords. Passwords do not need to
be entered if Local Database is not used.
Expiration Date
Enter users' permitted time limit. For example, if the expiration date is
(yyyy/mm/dd)
set to November 1, 2007, then the user will be denied beginning on
November 2, 2007 at 12: 00 AM.
User Type
If set to "Administrator", the user will login on the router management UI.
If set to "User", the user will login on the web portal.
Please note: Only Local Database users can be set as "Administrator",
external authentication server users can only be "User" and cannot login
on the router management UI.
188
SSL/IPSec VPN Firewall
Inactive timeout
Even though a user has logged in via the web portal, he/she will be
forced to logout (timeout) due to inactivity after 10 minutes. If a user logs
into the web portal to access enterprise resources using a SSL in an
unsafe environment, a shorter timeout time is recommended to mitigate
risk if the user is logged in but inactive.
Add to List
After completing the above settings, click on "Add to List" to add newly
created user settings to the corresponding list.
Confirm
After settings are complete, click on the ―Confirm‖ tab to save.
Cancel
Click on the ―Cancel‖ tab to cancel all unsaved settings.
Exit
Click on the ―Exit‖ tab to close the window.
11.6 Service Resource Management
189
SSL/IPSec VPN Firewall
11.6.1 Banner
Set the headings for users’ web portal, including enterprise and resource names.
11.6.2 Resource Configuration
SSL VPN supports common Microsoft terminal services (including Word, Excel, PowerPoint, Access,
Outlook, IE, FrontPage, and ERP). Administrators can also click on the ―Add New Terminal Service‖ tab to
add additional terminal services.
190
SSL/IPSec VPN Firewall
Resource Name
Display resource name, including SSL VPN supported terminal services
like Word, Excel, PowerPoint, Access, Outlook, IE, FrontPage, and
ERP.
Service
Display different service icons, which will show on a user’s web portal.
Host Address
Display terminal server address.
Edit
Provides selected resource application program paths, execution paths,
server addresses, and application program image editing. SSL VPN
supports built-in application program paths c: \program files\Microsoft
office\office\windword.exe. If you have installed Microsoft terminal
services that have a different server path, modification will be required.
Microsoft terminal service is ―Disabled‖ by default. Once Microsoft
terminal service server is set up and configured, activate it to avoid
limited services for group users.
Delete
If there is no need to support terminal services, click on the delete icon
to delete the resource.
Status
Displays server resource status as Enabled or Disabled.
Add New Terminal Server
If an enterprise has multiple internal terminal servers, click on the ―Add New Terminal Service‖ tab to add a
new terminal service.
191
SSL/IPSec VPN Firewall
Application
Import an application name.
Description
Application and
Set installation path this of application server.
Path
Working Directory
Set application working directory.
Host Address
Set server address.
Application Icon
Select the server icon. In addition to built-in icons, there are also
commonly used icons.
Enable
Check to activate this service.
11.7 Link to Portal
If user management settings have the user type set to ―Administrator‖, the user will login on the router
management UI. For login to the web portal, click ―Link to Portal‖.
192
SSL/IPSec VPN Firewall
11.8 Advanced Settings
Advanced Settings can modify SSL connection ports & add SSL upgrades.
193
SSL/IPSec VPN Firewall
11.8.1 Virtual Passage
A virtual passage is a type of point-to-point SSL client connection. When remote users use a secure
tunnel to connect, SSL VPN will establish a virtual web interface. For this reason, you will need to set SSL
VPN's secure tunnel client address range so it does not conflict with your company's Internet DHCP IP.
Default for 5 SSL users is 192.168.1.200 to 192.168.1.205.
Unified IP Management:
The Unified IP Management configuration window can set LAN IP range, DHCP IP range, SSL virtual
passage IP range, and PPTP IP address range.
194
SSL/IPSec VPN Firewall
LAN Settings:
The system default for LAN IP is 192.168.1.1, and subnet mask is 255.255.255.0. Changes can be made
based on actual network architecture.
Multiple-Subnet Settings:
Select "Multiple Subnet", and enter the subnet IP address/ subnet mask you want to add. This function is
to add the router's different LAN IPs in different ranges to the router identified LAN. Therefore, PCs in LAN
already having configured IPs, which are different from LAN IP range, can still go online directly. For example,
there are several IP ranges in LAN, such as 192.168.3.0, 192.168.20.0, 192.168.150.0, etc. When all of these
ranges are added to a subnet, the PCs in these ranges don't need to make any modification and can go online.
This can be done with your actual internet architecture.
Dynamic IP:
SSL VPN firewall has 4 Class C DHCP servers and is enabled by default, which can provide PCs in LAN
to get IPs automatically (like DHCP service in NT server). So each PC isn't required to record or set other IP
addresses. After a computer starting, SSL VPN firewall will automatically acquire an IP address.
Range Start
The initial IP for the 4 ranges by default are 192.168.1.100,
192.168.2.100, 192.168.3.100, and 192.168.3.100. Changes can be
made by actual requirements.
195
SSL/IPSec VPN Firewall
Range End
The last IP for the 4 ranges by default are 192.168.1.149,
192.168.2.149, 192.168.3.149, 192.168.4.149. Factory default allows to
50 IP addresses in each range. A total of 200 computers can
automatically acquire IP addresses. Changes can be made by actual
requirements.
Virtual Passage:
When the client uses SSL secure tunnel to connect to SSL VPN, SSL VPN will assign a LAN IP address
to the user. You can use SSL VPN's supported SSL tunnels to adjust "client start addresses" and "client end
addresses" to provide ample LAN IP the SSL secure tunnel clients. Ensure that the secure tunnel IP range
doesn’t conflict with the DHCP IP range or the PPTP secure tunnel IP range.
PPTP IP Address Distribution Range:
When a client uses PPTP to dial into the SSL VPN, SSL VPN will assign a LAN IP address for the client. You
can adjust ―Range Start‖ and ―Range End‖ by purchasing SSL tunnel quantity.
In this way, you can provide
sufficient LAN IPs for SSL tunnel users. Please Note: IP ranges for virtual passage cannot have conflict with
those in DHCP and PPTP tunnels.
11.8.2 Advanced Configurations
The SSL default port is 443. If port 443 is being used by another internal application, you can use the
SSL VPN’s service port drop down menu to select a different one (10443, 20443). Remind: If you change a
port other than the default 443, when a client connects to the SSL VPN, the port number will have to be
entered after the address.
196
SSL/IPSec VPN Firewall
Password Protection
For enhance the robust security connection of SSL, you can avoid illegal users or brute-force-attack by
selecting below options.
(1) Enable restrict crack calculator
administrators can set the number of error times for the single account login, when this account login
times are over the number administrators set, system will block this account for a period of time. To enter
―Apply‖, it will take effect when users login next time.
※If user login with a error password continuously, a warning message will pop up as below
figure：
※When the error times over the threshold, system will block this account automatically for few
minutes, along with pop up a warning message to remind the users as below figure：
197
SSL/IPSec VPN Firewall
(2) Enable graphics verification
When select ―Enable graphics verification‖ and enter ―Apply‖, the login web page will display
graphics verification as below figure when users login next time. Users not only key in the user
name/password but also need to key in the correct graphics verification to login SSL connecting
successful.
198
SSL/IPSec VPN Firewall
11.8.3 SSL Upgrade Serial Number
In addition to SSL VPN default SSL tunnel, if you want to upgrade for additional tunnels, please contact
your Qno distribution representatives to order the upgraded edition. After purchasing, an SSL upgrade serial
number will be provided. Enter the serial number in the "SSL Upgrade Serial Number" blank and the tunnel
quantity in "SSL Upgrade Tunnel Number". After that, click "Apply", and you can successfully upgrade the
SSL tunnels. You can go to ―Status‖ to view ―Tunnel(s) Used‖ and ―Tunnel(s) Available‖ to confirm whether
your upgrade is successful or not .
199
SSL/IPSec VPN Firewall
XII. Advanced Function
This chapter will introduce to you the advance router settings In the advance settings, you can:
1. Setup DMZ servers forwarding to WAN, for example, the Web or FTP servers.
2. Setup static routing entries or dynamic routing protocol.
3. Setup one to one NAT function to mapping public IP address and private IP address.
4. Setup dynamic DNS service.
5. Setup MAC address in interfaces.
12.1 DMZ/Forwarding
12.1.1 DMZ Configuration
When the NAT mode is activated, sometimes users may need to use applications that do not support
200
SSL/IPSec VPN Firewall
virtual IP addresses such as network games. We recommend that users map the device actual WAN IP
addresses directly to the Intranet virtual IP addresses, as follows:
If the ―DMZ Host‖ function is selected, to cancel this function, users must input "0‖ in the following
―DMZ Private IP‖. This function will then be closed.
After the changes are completed, click ―Apply‖ to save the network configuration modification, or click
―Cancel" to leave without making any changes.
12.1.2 Port Range Forwarding
Setting up a Port Forwarding Virtual Host: If the server function (which means the server for an
external service such as WWW, FTP, Mail, etc) is contained in the network, we recommend that users
use the firewall function to set up the host as a virtual host, and then convert the actual IP addresses
(the Internet IP addresses) with Port 80 (the service port of WWW is Port 80) to access the internal
server directly. In the configuration page, if a web server address such as 192.168.1.50 and the Port 80
has been set up in the configuration, this web page will be accessible from the Internet by keying in the
device actual IP address such as, http://211.243.220.43.
At this moment, the device actual IP will be converted into ―192.168.1.50‖ by Port 80 to access the
web page.
In the same way, to set up other services, please input the server TCP or UDP port number and the
virtual host IP addresses.
201
SSL/IPSec VPN Firewall
Service
To select from this option the default list of service ports of the virtual
host that users want to activate.
Such as: All (TCP&UDP) 0~65535, 80 (80~80) for WWW, and 21~21
for FTP. Please refer to the list of default service ports.
IP Address
Enable
Service Port
Input the virtual host IP address.
Activate this function.
Add or remove service ports from the list of service ports.
Management
Add to list
Add to the active service content.
Service Port Management
The services in the list mentioned above are frequently used services. If the service users want to
activate is not in the list, we recommend that users use ―Service Port Management‖ to add or remove ports,
as follows:
202
SSL/IPSec VPN Firewall
Service Name
Input the name of the service port users want to activate on the list,
such as E-donkey, etc.
Protocol
To select whether a service port is TCP or UDP.
Port Range
To activate this function, input the range of the service port locations
users want to activate such as 500~500 or 2300~2310, etc.
Add to list
Add the service to the service list.
Delete selected item
To remove the selected services.
Apply
Click the ―Apply‖ button to save the modification.
Cancel
Click the ―Cancel‖ button to cancel the modification. This only works
before ―Apply‖ is clicked.
203
SSL/IPSec VPN Firewall
Exit
Quit this configuration window.
12.2 UPnP
UPnP (Universal Plug and Play) is a protocol set by Microsoft. If the virtual host supports UPnP system
(such as Windows XP), users could also activate the PC UPnP function to work with the device.
Service Port
Select the UPnP service number default list here; for example, WWW is
80~80, FTP is 21~21. Please refer to the default service number list.
Host Name or IP Address
Input the Intranet virtual IP address or name that maps with UPnP such
as 192.168.1.100.
Enabled
Activate this function.
Service Port Management
Add or remove service ports from the management list.
Add to List
Add to active service content.
Delete Selected Item
Remove selected services.
Show Table
This is a list which displays the current active UPnP functions.
Apply
Click ―Apply‖ to save the network configuration modification.
Cancel
Click ―Cancel" to leave without making any change.
204
SSL/IPSec VPN Firewall
12.3 Routing
In this chapter we introduce the Dynamic Routing Information Protocol and Static Routing Information
Protocol.
205
SSL/IPSec VPN Firewall
12.3.1 Dynamic Routing
The abbreviation of Routing Information Protocol is RIP. There are two kinds of RIP in the IP
environment – RIP I and RIP II. Since there is usually only one router in a network, ordinarily just Static
Routing will be used. RIP is used when there is more than one router in a network, and if an administrator
doesn’t want to assign a path list one by one to all of the routers, RIP can help
refresh the paths.
RIP is a very simple routing protocol, in which Distance Vector is used. Distance Vector determines
transmission distance in accordance with the number of routers, rather than based on actual session speed.
Therefore, sometimes it will select a path through the least number of routers, rather than through the fastest
routers.
Working Mode
Select the working mode of the device: NAT mode or router mode.
RIP
Click ―Enabled‖ to open the RIP function.
Receive RIP versions
Use Up/Down button to select one of ―None， RIPv1， RIPv2， Both
RIPv1 and v2‖ as the ―TX‖ function for transmitting dynamic RIP.
Transmit RIP versions
Use
Up/Down
button
to
select
one
of
―None ，
RIPv1 ，
RIPv2-Broadcast， RIPv2-Multicast‖ as the ―RX‖ function for receiving
dynamic RIP.
12.3.2 Static Routing
When there are more than one router and IP subnets, the routing mode for the device should be
configured as static routing. Static routing enables different network nodes to seek necessary paths
automatically. It also enables different network nodes to access each other. Click the button ―Show Routing
Table‖ (as in the figure) to display the current routing list.
206
SSL/IPSec VPN Firewall
Dest. IP
Subnet Mask
Input the remote network IP locations and subnet that is to be routed. For
example, the IP/subnet is 192.168.2.0/255.255.255.0.
Default Gateway
The default gateway location of the network node which is to be routed.
Hop Count
This is the router layer count for the IP. If there are two routers under the
device, users should input ―2‖ for the router layer; the default is ―1‖. (Max.
is 15.)
Interface
This is to select ―WAN port‖ or ―LAN port‖ for network connection location.
Add to List
Add the routing rule into the list.
Delete Selected Item
Remove the selected routing rule from the list.
Show Table
Show current routing table.
Apply
Click “Apply” to save the network configuration modification
207
SSL/IPSec VPN Firewall
Click “Cancel" to leave without making any changes.
Cancel
12.4 One to One NAT
As both the device and ATU-R need only one actual IP, if ISP issued more than one actual IP (such as
eight ADSL static IP addresses or more), users can map the remaining real IP addresses to the intranet PC
virtual IP addresses. These PCs use private IP addresses in the Intranet, but after having One to One NAT
mapping, these PCs will have their own public IP addresses.
For example, if there are more than 2 web servers requiring public IP addresses, administrators can map
several public IP addresses directly to internal private IP addresses.
Example：Users have five available IP addresses - 210.11.1.1~5, one of which, 210.11.1.1, has been
configured as a real IP for WAN, and is used in NAT. Users can respectively configure the other four real IP
addresses for Multi-DMZ, as follows:
210.11.1.2
192.168.1.3
210.11.1.3
192.168.1.4
210.11.1.4
192.168.1.5
210.11.1.5
192.168.1.6
Note!
The device WAN IP address can not be contained in the One-to-One NAT IP configuration.
208
SSL/IPSec VPN Firewall
One to One NAT:
Enable One to One NAT
To activate or close the One-to-One NAT function. (Check to activate the
function).
Private IP Range Begin
Input the Private IP address for the Intranet One-to-One NAT function.
Public IP Range Begin
Input the Public IP address for the Internet One-to-One NAT function.
209
SSL/IPSec VPN Firewall
Range Length
The numbers of final IP addresses of actual Internet IP addresses. (Please
do not include IP addresses in use by WANs.)
Add to List
Add this configuration to the One-to-One NAT list.
Delete Selected range
Remove a selected One-to-One NAT list.
Apply
Click “Apply” to save the network configuration modification.
Cancel
Click “Cancel" to leave without making any changes.
Note!
One-to-One NAT mode will change the firewall working mode. If this function has been set up, the
Internet IP server or PC which is mapped with a LAN port will be exposed on the Internet. To prevent
Internet users from actively connecting with the One-on-One NAT server or PC, please set up a proper
denial rule for access, as described Firewall.
Multiple to One NAT:
210
SSL/IPSec VPN Firewall
Enable Multiple to One
Click to enable multiple to one NAT function.
NAT
Private IP Range
Input intranet IPs for NAT mapping.
Respective Public IP
Input the respective public IP addresses.
following interface selection.
This should go along with the
If the IP address is not within the interface
ranges, the setting will not work.
Interface
Select the mapping interface.
If the WAN IP above is not within the
interface range, the setting will not work.
Add to List
Add this configuration to the One-to-One NAT list.
Delete selected range
Remove a selected One-to-One NAT list.
Apply
Click “Apply” to save the network configuration modification.
Cancel
Click “Cancel" to leave without making any changes.
211
SSL/IPSec VPN Firewall
12.5 DDNS- Dynamic Domain Name Service
DDNS supports the dynamic web address transfer for QnoDDNS.org.cn、3322.org、DynDNS.org and
DtDNS.com. This is for VPN connections to a website that is built with dynamic IP addresses, and for
dynamic IP remote control. For example, the actual IP address of an ADSL PPPoE time-based system or
the actual IP of a cable modem will be changed from time to time. To overcome this problem for users who
want to build services such as a website, it offers the function of dynamic web address transfer. This
service can be applied from www.qno.cn/ddns, www.3322.org, www.dyndns.org, or www.dtdns.com, and
these are free.
Also, in order to solve the issue that DDNS server is not stable, the device can update the dynamic IP
address with different services at the same time.
Select the WAN port to which the configuration is to be edited, for example, WAN 1. Click the hyperlink to
enter and edit the settings.
212
SSL/IPSec VPN Firewall
Interface
This is an indication of the WAN port the user has selected.
DDNS
Check either of the boxes before DynDNS.org, 3322.org, DtDNS.com
and QnoDDNS.org.cn to select one of the four DDNS website address
transfer functions.
Username
The name which is set up for DDNS.
Input a complete website address such as abc.qnoddns.org.cn as a
user name for QnoDDNS.
Password
The password which is set up for DDNS.
Host Name
Input the website address which has been applied from DDNS.
213
SSL/IPSec VPN Firewall
Examples are abc.dyndns.org or xyz.3322.org.
Internet IP Address
Input the actual dynamic IP address issued by the ISP.
Status
An indication of the status of the current IP function refreshed by DDNS.
Apply
After the changes are completed, click “Apply” to save the network
configuration modification.
Cancel
Click “Cancel" to leave without making any changes.
12.6 MAC Clone
Some ISP will request for a fixed MAC address (network card physical address) for distributing IP
address, which is mostly suitable for cable mode users. Users can input the network card physical address
(MAC address: 00-xx-xx-xx-xx-xx) here.
The device will adopt this MAC address when requesting IP
address from ISP.
Select the WAN port to which the configuration is to be edited; click the hyperlink to enter and edit its
configuration. Users can input the MAC address manually. Press ―Apply‖ to save the setting, and press
―Cancel‖ to remove the setting.
Default MAC address is the WAN MAC address.
214
SSL/IPSec VPN Firewall
12.7 Inbound Load Balance
Qno Firewall/Router not only supports efficient Outbound Load Balance, but Inbound
Load Balance. It distributes inbound traffic equally to every WAN port to make best use of
bandwidth. It also can prevent traffic from unequally distribution and congested. Users can
use only one device to satisfy the demand of Inbound/Outbound Load Balance
simultaneously.
Following introduces how to enable and setup Inbound Load Balance step by step.
Attention!
In For some models of Qno routers, user can try the function for a period but with time
limit. If the function can match your network demand, you can apply for the official version
License Key in Qno Official Website (www.qno.com.tw). After applying, auditing, paying
and inputting License Key successfully, users can use the official version without time limit.
1. System Tool => License Key => Try to enable “Inbound Load Balance.”
After enabling Trial version, “Status and Information” column will display the remaining
trial time. If trial expires, the function can not work out at all unless users enter an official
License Key.
2. Go to “Inbound Load Balance” in “Advanced Function” and click “Edit” to configure.
3. Enable “Inbound Load Balance.”
215
SSL/IPSec VPN Firewall
216
SSL/IPSec VPN Firewall
4. Configure Domain Name and Host IP.
Assign DNS service provider and Host IP address. Take the setting on TWNIC as an example, the
network structure and IP are as following:
WAN1：ADSL ISP A 210.10.1.1
WAN2：ADSL ISP B 200.1.1.1
Domain Name：abc.com.tw
Name Server(NS)：ns1.abc.com.tw /ns2.abc.com.tw
Go to website of your DNS service provider to modify your own DNS Host/IP, as the following
figure:
Choose DNS mode, and then fill in the Host name and corresponding IP address of
WAN1 and WAN2. Press “Finish” button, the setting will be effective in 24 hours.
Attention!
Please follow your ISP to modify Host/IP assignment if your upper level isn’t TWNIC! If
your DNS agent is other ISP, please refer to the Web configuration provided by your ISP!?
5. Configure Firewall/Router Domain Name
217
SSL/IPSec VPN Firewall
Domain Name:
Input the Domain Name which is applied before. The domain name will be
shown in following configuration automatically without entering again.
Time To Live:
Time To Live (the abbreviation is TTL) is time interval of DNS inquiring
(second, 0~65535). Too long interval will affect refresh time. Shorter time
will increase system’s loading, but the effect of Inbound Load Balance will be
more correct. You can adjust according your reality application.
Administrator:
Enter administrator’s E-mail address, e.g. [email protected].
6. DNS Server Settings: Add or Modify NS Record. (NS Record)
NS Record is the record of DNS server to assign which DNS server translates the
domain name.
218
SSL/IPSec VPN Firewall
DNS
Input registered NS Record, ex. ns1, ns2.
Server
Interface:
Assign WAN IP address as corresponding IP of NS Record. The system will show
all acquired enabled WAN IP addresses automatically so that users can check
directly. But users have to check if the IP addresses are the same as the
corresponding settings on TWNIC DNS service provider. (Ex. ns1.abc.com.tw 
WAN1: 210.10.1.1, ns2.abc.com.twWAN2: 200.1.1.1)
7. Host Record: Add or modify host record. (A Record)
Host
Input the host name which provides services. E.g. mail server or FTP.
Name:
WAN IP:
Check corresponding A Record IP (WAN Port IP). If more than one IPs is checked,
Inbound traffic will be distributed on this WANs.
8. Alias Record : Add or modify alias record (CNAME Record)
This kind of record allows you to assign several names to one computer host, which
may provide several services on it.
219
SSL/IPSec VPN Firewall
For instance, there is a computer whose name is “host.mydomain.com” (A record). It
provides WWW and Mail services concurrently. Administrator can configure as two CNAME:
WWW and Mail. They are “www.mydomain.com” and “mail.mydomain.com”. They are both
orientated to “host.mydomain.com.”
You can also assign several domain names to the same IP address. One of the domains
will be A record corresponding server IP, and the others will be alias of A record domain. If
you change your server IP, you don’t have to modify every domain one by one. Just
changing A record domain, and the other domains will be assigned to new IP address
automatically.
Alias:
Input Alias Record corresponding to A Record.
Target:
Input the existed A Record domain name.
9. Mail Server: Add or modify mail server record.
MX Record is directed to a mail server. It orientates to a mail server according to the
domain name of an E-mail address. For example, someone on internet sends a mail to
[email protected]. The mail server will search MX Record of mydomain.com through
DNS. If the MX Record exists, sender PC will send mails to the mail server assigned by MX
Record.
220
SSL/IPSec VPN Firewall
Host
Display the host name without domain name of mail host.
Name:
Weight:
Indicate the order of several mail hosts, the smaller has more priority.
Mail
Input the server name which is saved in A Record or external mail server.
Server:
Click “Apply” button to save the configuration. Besides, users have to configure DNS
service port as following description.
10. Enable DNS Query (DNS service port) in Access Rule of Firewall setting.
Add a new access rule in Firewall setting to enable DNS service port of the WAN on
which Inbound Load Balance need to be enabled.
Action:
Check “Allow”.
Service Port:
From the drop-down menu, select “DNS [UDP/53~53].”
Log:
Check “Enable” if DNS Query data should be recorded.
Interface:
Check the WAN port on which Inbound Load Balance is enabled.
Source IP:
Select “Any”.
Dest. IP:
Select WAN port and input correspondingly IP of the domain name. Take the
previous example, input 210.10.1.1.
Scheduling:
Select “Always”.
11. Enable internal IP and service port corresponding to A Record in Port Range Forwarding of
Advanced Function.
221
SSL/IPSec VPN Firewall
Service Port:
Activate the service port of A Record server, e.g. SMTP [TCP/25~25] for Mail.
Internal IP:
Input the internal IP of A Record, e.g. 192.168.8.100 of Mail server.
Interface:
Select the WAN port of A Record and corresponding IP.
Enable:
Activate the configuration.
Add to List:
Add to the active service content.
222
SSL/IPSec VPN Firewall
XIII. System Tool
This chapter introduces the management tool for controlling the device and testing network connection.
For security consideration, we strongly suggest to change the password. Password and Time setting is in
Chapter 5.2.
13.1 Diagnostic
router provides a simple online network diagnostic tool to help users troubleshoot network-related
problems. This tool includes DNS Name Lookup (Domain Name Inquiry Test) and Ping (Packet
Delivery/Reception Test).
DNS Name lookup
On this test screen, please enter the host name of the network users want to test. For example, users
may enter www.abc.com and press "Go" to start the test. The result will be displayed on this page.
223
SSL/IPSec VPN Firewall
Ping
This item informs users of the status quo of the outbound session and allows the user to know the
existence of computers online.
On this test screen, please enter the host IP that users want to test such as 192.168.5.20. Press "Go" to
start the test. The result will be displayed on this screen.
13.2 Firmware Upgrade
Users may directly upgrade the VPN Router firmware on the Firmware Upgrade page. Please confirm all
information about the software version in advance. Select and browse the software file, click "Firmware
Upgrade Right Now" to complete the upgrade of the designated file.
Note!
Please read the warning before firmware upgrade.
Users must not exit this screen during upgrade. Otherwise, the upgrade may fail.
224
SSL/IPSec VPN Firewall
13.3 Configuration Backup
Import Configuration File:
This feature allows users to integrate all backup content of parameter settings into the
Router. Before
upgrade, confirm all information about the software version. Select and browse the backup parameter file:
225
SSL/IPSec VPN Firewall
"config.exp." Select the file and click "Import" to import the file.
Export Configuration File:
This feature allows users to backup all parameter settings. Click "Export" and select the location to save
the "config.exp" file.
Export Configuration File:
This feature allows users to backup IP&MAC binding, QoS, and Protocol Binding setting rules.
You can
separately export the rules or import these rules from ―Import Configuration File‖ above.
13.4 SNMP
Simple Network Management Protocol (SNMP) refers to network management communications
protocol and it is also an important network management item. Through this SNMP communications
protocol, programs with network management (i.e. SNMP Tools-HP Open View) can help
communications of real-time management. The device supports standard SNMP v1/v2c and is
consistent with SNMP network management software so as to get hold on to the operation of the online
devices and the real-time network information.
226
SSL/IPSec VPN Firewall
Enabled
Activate SNMP feature. The default is activated.
System Name
Set the name of the device such as Qno.
System Contact
Set the name of the person who manages the device (i.e. John).
System Location
Define the location of the device (i.e. Taipei).
Get Community Name
Set the name of the group or community that can view the device
SNMP data. The default setting is "Public".
Set Community Name
Set the name of the group or community that can receive the device
SNMP data. The default setting is "Private".
Trap Community Name
Set user parameters (password required by the Trap-receiving host
computer) to receive Trap message.
Send SNMP Trap to
Set one IP address or Domain Name for the Trap-receiving host
computer.
Apply
Press “Apply” to save the settings.
Cancel
Press “Cancel” to keep the settings unchanged.
13.5 System Recover
Users can restart the VPN Router with System Recover button.
Restart
As the figure below, if clicking ―Restart Router‖ button, the dialog block will pop out, confirming if users
would like to restart the device.
227
SSL/IPSec VPN Firewall
Return to Factory Default Setting
If clicking ―Return to Factory Default Setting, the dialog block will pop out, if the device will return to
factory default.
We suggest you backup your router configuration before upgrade firmware, after upgraded firmware, you
can reset router configuration to default for check the router stability, and then restore original router
configuration. (About backup and restore router configuration, you can refer to Chapter 12.3)
228
SSL/IPSec VPN Firewall
13.6 High Availability
High Availability is adopted in the network that requires fault tolerance and backup mechanism. Two
similar devices are used to be the backup for each other. One of these devices is employed for major network
transmitting, and the other redundant device will take over when the master device fails to assure that
network transmitting and services never break down. Therefore, administrators will have more opportunity
and time to deal with the master device problems.
Besides general HA, Qno also provides advanced HA function that enables two devices to operate
simultaneously. It brings full cost efficiency without making another device idle. It does not have to be the
same model. All of Qno devices which support HA can achieve the function.
High Availability
Enable: Activate HA function.
Disable: Disable HA function.
Mode
(1) Hardware Backup Mode
It is the general backup mode. The master device takes responsibility of network
transmitting and the other one is set as idle. When the master device fails
transmitting, it will send out the message to the idle device for taking over network
transmitting immediately.
229
SSL/IPSec VPN Firewall
(2) Two devices are operating simultaneously
Two devices operate outbound linking simultaneously, but they are still separated as
Master device and Backup device. In normal situation, Master device is major DHCP
IP issuer, and Backup device will disable DHCP issuing automatically. When Master
device fails transmitting, the Backup device will take over all outbound links and
enable DHCP server to provide IP addresses.
Following is the description of the two different modes.
Hardware Backup
※ Operation-Master Mode
Indicates the master device will operate for all outbound links. When
the master device fails transmitting, the backup device will take over.
Status
―Status- Normal‖ indicates the device operates well.
Status of the backup device
Indicates status of backup device. If the status is normal, administrators
can login the device remotely to manage. (Remote Management
should be enabled).
―Status- Abnormal‖ indicates the backup device can not be detected or
does exist, and need to inspect the backup device actual status.
230
SSL/IPSec VPN Firewall
Operation-Backup Mode
Indicates the backup device will take over when the master fails
transmitting. WAN and LAN IP setting in backup device should be the
same as those of master device. The backup device should not be in
charge of network transmitting and DHCP server.
※ If the original LAN IP addresses are issued by Master device,
DHCP server setting of Backup device should be the same as Master
device. The Backup device can keep DHCP functioning and there will
be no LAN disconnection.
LAN IP of the backup device
Input LAN IP of Master mode, which is backed up.
MAC Address of the backup device:
Input Master device MAC address, which is backed up.
Status
―Status- Normal‖ indicates the status is idle. Master device operates
normally.
―Status- Backup‖ indicates the device takes over all the network
transmitting. The status will return to ―Normal‖ when Master device
boots normally and send a message to the backup device. Then, the
status will return to Normal, which the backup device remains idle.
Two devices are operating simultaneously:
231
SSL/IPSec VPN Firewall
* This UI might vary from model to model, depending on different product lines.
Operation-Master Mode
Besides operating network with another device, Master device is also
the DHCP server to issue LAN IP addresses. Although Slave device
also supports outbound linking, its DHCP server is disabled.
WAN Backup
(The Checked WANs are not
working in this device.)
LAN Gateway Backup
The checked WANs will works in the other device. For an example, if
WAN1 and WAN2 work in this device, and WAN3 and WAN4 work in
the other device, WAN3 and WAN4 should be checked.
Input LAN IP of Slave device. The IP should be different from LAN IP of
Master device.
MAC Address of the backup device
Input LAN MAC of Slave device. It should be different from LAN MAC of
Master device.
Status
―Status-Normal‖
means
both
two
devices
operate
normally.
―Status-Backup‖ indicates Slave mode has problems, and the device
enables backup to take over WAN
232
SSL/IPSec VPN Firewall
* This UI might vary from model to model, depending on different product lines.
Operation-Slave Mode
Although working with master device, Backup device’s DHCP server is
disabled. LAN users need to transmit traffic through the WAN on Slave
device. You should add LAN IP of Slave device into Master device
DHCP server default gateway, which is DHCP server IP address.
For example, if the DHCP server’s IP of Master device is 192.168.1.1,
and the subnet mask is 255.255.255.0, Salve device should be in the
same subnet, ex. 192.168.1.2.
WAN Backup
(The Checked WANs are not working
in this device.)
LAN Gateway Backup
The checked WANs will works in another device. For an example, if
WAN1 and WAN2 work in this device, and WAN3 and WAN4 work in
another, WAN3 and WAN4 should be checked.
Input the LAN IP of Master device. It should be different from Slave
device’s IP. (Must be in the same subnet.)
MAC Address of the backup device
Input the LAN MAC of Master device. It should be different from Salve
device’s LAN MAC.
Status
―Status-Normal‖ indicates both devices work normally; ―Status-Backup‖
indicates the Backup device is enabled for backing up Master device to
take over WAN connection and DHCP issuing function.
233
SSL/IPSec VPN Firewall
11.7 License Key
Users have to purchase License Key to “enable” some functions in Qno Firwalls/Routers series
or upgrade to “Official Version”(not trial version), such as QnoSniff or Inbound Load Balance,
etc.
Current Time:
Before inputing License Key, the device will check whether
current time is correct and whether License Key is still in valid
period. In order to prevent from dysfuction problems, we
strongly recommend you to check and update the time correctly
before attempting a feature and entering License Key.
License Key
Input License Key you purchase. Generally the key is composed
Number：
by several alphanumeric characters. Enter the key and click
“Submit”, and the system will check whether the License Key is
valid. If the key is valid, users will be allowed to use the feature.
The “Official Version” column of that feature will be checked.
Feature Name:
List value-added features. If there is no “Trial Version” button in
the “Trial Version” column, it means the feature has no trail
version, or it just supports the amount of VPN tunnels, such as
QnoSoftKey.
Trial Version /
Display “Trial” button in the “Trial Version” column at default if
Official Version:
the functions have trial versions. Users can try the functions
for certain period of time by pressing the button.
After entering and registering License Key successfully,“Official
Version”column will be checked. The feature will be in official
234
SSL/IPSec VPN Firewall
version and not be limited by trial expiration date.
Registration Time:
Display successfully inputted and registered time.
Status Information:
Indicate remaining trial date or supported amount of
QnoSoftkey VPN Tunnels.
Refresh:
Refresh current system status and time.
235
SSL/IPSec VPN Firewall
XIV. Log
From the log management and look up, we can see the relevant operation status, which is convenient for
us to facilitate the setup and operation.
14.1 System Log
Its system log offers three options: system log, E-mail alert, and log setting.
System Log
Enabled
If this option is selected, the System Log feature will be enabled.
Host Name
The device provides external system log servers with log collection feature.
System log is an industrial standard communications protocol. It is
designed to dynamically capture related system message from the
network. The system log provides the source and the destination IP
addresses during the connection, service number, and type. To apply this
feature, enter the system log server name or the IP address into the empty
"system log server" field.
236
SSL/IPSec VPN Firewall
E-mail Alert (Future Feature)
Enabled：
If this option is selected, E-mail Warning will be enabled.
Mail Server：
If users wish to send out all the logs, please enter the E-mail
server name or the IP address; for instance, mail.abc.com .
E- mail：
This is set as system log recipient email address such as
[email protected].
Log Queue Length：
Set the number of Log entries, and the default entry number is
50. When this defined number is reached, it will automatically
send out the log mail.
Log Time Threshold：
Set the interval of sending the log, and the default is set to 10
minutes. Reaching this defined number, it will automatically
send out the Mail log.
The device will detect which parameter (either entries or
intervals) reaches the threshold first and send the log message
of that parameter to the user.
Send Log to E- mail：
Users may send out the log right away by pressing this
button.
237
SSL/IPSec VPN Firewall
Log Setting
Alert Log
The
Router provides the following warning message. Click to activate these features: Syn Flooding, IP
Spoofing, Win Nuke, Ping of Death / Unauthorized Login Attempt.
Syn Flooding
Bulky syn packet transmission in a short time causes the overload of the
system storage of record in connection information.
IP Spoofing
Through the packet sniffing, hackers intercept data transmitted on the
network. After they access the information, the IP address from the sender
is changed so that they can access the resource in the source system.
Win Nuke
Servers are attacked or trapped by the Trojan program.
Ping of Death
The system fails because the sent data exceeds the maximum packet that
can be handled by the IP protocol.
Unauthorized
If intruders into the device are identified, the message will be sent to the
Login
system log.
238
SSL/IPSec VPN Firewall
General Log
The VPN Router provides the following warning message. Click to activate the feature. System error
message, blocked regulations, regulation of passage permission, system configuration change and
registration verification.
Deny Policies
If remote users fail to enter the system because of the access rules; for
instance, message will be recorded in the system log.
Allow Policies
If remote users enter the system because of compliance with access
rules; for instance, message will be recorded in the system log.
Authorized Login
Successful entry into the system includes login from the remote end or
from the LAN into this device. These messages will be recorded in the
system log.
The following is the description of the four buttons allowing online inquiry into the log.
View System Log:
This option allows users to view system log. The message content can be read online via the device.
They include All Log, System Log, Firewall Log, and VPN log, which is illustrated as below.
Outgoing Packet Log:
239
SSL/IPSec VPN Firewall
View system packet log which is sent out from the internal PC to the Internet. This log includes LAN IP,
destination IP, and service port that is applied. It is illustrated as below.
Incoming Packet Log:
View system packet log of those entering the firewall. The log includes information about the external
source IP addresses, destination IP addresses, and service ports. It is illustrated as below.
Clear Log Now:
This feature clears all the current information on the log.
14.2 System Statistic
The
Router has the real-time surveillance management feature that provides system current operation
information such as port location, device name, current WAN link status, IP address, MAC address, subnet
mask, default gateway, DNS, number of received/ sent/
Received and
total packets , number of received/ sent/ total Bytes,
Sent Bytes/Sec., total number of error packets received, total number of the packets dropped,
number of session, number of the new Session/Sec., and upstream as well as downstream broadband usage
(%).
240
SSL/IPSec VPN Firewall
14.3 Traffic Statistic
Six messages will be displayed on the Traffic Statistic page to provide better traffic management and
control.
241
SSL/IPSec VPN Firewall
By Inbound IP Address:
The figure displays the source IP address, bytes per second, and percentage.
By outbound IP Address:
The figure displays the source IP address, bytes per second, and percentage.
242
SSL/IPSec VPN Firewall
By Inbound Port:
The figure displays the network protocol type, destination IP address, bytes per second, and percentage.
By Outbound Port:
The figure displays the network protocol type, destination IP address, bytes per second, and percentage.
243
SSL/IPSec VPN Firewall
By Inbound Session:
The figure displays the source IP address, network protocol type, source port, destination IP address,
destination port, bytes per second and percentage.
By Outbound Session:
The figure displays the source IP address, network protocol type, source port, destination IP address,
destination port, bytes per second and percentage.
244
SSL/IPSec VPN Firewall
14.4 Connection Statistic (Future Feature)
Connection Statistic function is used to record the numbers of network connections, including outbound
sessions, and intranet users (PC). It also displays the user connection sessions.
Enable：
When enabling Connection Statistic function, parts of
system efficiency will be influenced. Therefore, the
system will remind you the influence when you
enable this function.
PC there are currently
traffic：
Display current PC amounts having outbound
connections. If the PC does not boot up or is not
connected to internet, it will not be counted in the
245
SSL/IPSec VPN Firewall
statistic.
LAN PC Data Ordering By：
Select this function to sort the data by [IP Address up
to down], [IP Address down to up], [Session down to
up], and [Session up to down].
Jump to___/___Page；
Select this function to display the data by how many
Entries per page___
entries of data per page will be displayed. Also you
can select the page you would like to see from the
drop down menu.
Data List field
IP Address：
Display PC’s IP address which has outbound traffic.
Also you can click the IP hyperlink to display the
current connection statistic and details.(As the
following graph):
Host Name：
Display PC names that having outbound traffic. It will
show blank when the system cannot analyze.
Session：
Display PC connection sessions that having outbound
traffic.
Refresh：
Click the Refresh button that the latest data and list
will be updated.
246
SSL/IPSec VPN Firewall
14.5 IP/ Port Statistic
The
Router allows administrators to inquire a specific IP (or from a specific port) about the addresses
that this IP had visited, or the users (source IP) who used this service port. This facilitates the identification of
websites that needs authentication but allows a single WAN port rather than Multi-WANs. Administrators may
find out the destination IP for protocol binding to solve this login problem. For example, when certain port
software is denied, inquiring about the IP address of this specific software server port may apply this feature.
Moreover, to find out BT or P2P software; , users may select this feature to inquire users from the port.
Specific IP Status:
Enter the IP address that users want to inquire, and then the entire destination IP connected to remote
devices as well as the number of ports will be displayed.
247
SSL/IPSec VPN Firewall
Specific Port Status：
Enter the service port number in the field and IP that are currently used by this port will be displayed.
248
SSL/IPSec VPN Firewall
14.6 QRTG (Qno Router Traffic Graphic)
QRTG utilizes dynamic GUI and simple statistic to display system status of Qno Firewall/ Router
presently, including CPU Utilization(%), Memory Utilization(%), Session and WAN Traffic.
Enable QRTG: The function is disabled by default. When you are going to enable the QRTG function,
system will pop-up a warning massage to remind you this function will be enabled, which may influence
router efficiency. You can use drop down menu to select current status that including statistic and graphics of
the following items when this function is enabled. System will refresh the statistic and graphics to latest data
timing when you click ―Refresh‖ button.
I. CPU Usage (As in the following figure)
(1) CPU Hours Usage Rate graphic / average/ maximum
(2) CPU Days Usage Rate graphic / average/ maximum
(3) CPU, Week Usage Rate graphic / average/ maximum
249
SSL/IPSec VPN Firewall
II. WAN Traffic Statistic (hourly) graphic and average (up/down stream) (As in the following figures)
250
SSL/IPSec VPN Firewall
* The UI might vary from model to model, depending on different product lines.
III. WAN Traffic Statistic (Day) graphic and average (up/down stream)(As in the following figures)
251
SSL/IPSec VPN Firewall
* The UI might vary from model to model, depending on different product lines.
IV. WAN Traffic Statistic (Week) graphic and average (up/down stream)(As in the following figures)
252
SSL/IPSec VPN Firewall
* The UI might vary from model to model, depending on different product lines.
253
SSL/IPSec VPN Firewall
XV. Log out
On the top right corner of the web- based UI, there is a Logout button. Click on it to log out of the webbased UI. To enter next time, open the Web browser and enter the IP address, user name and password to
log in.
254
SSL/IPSec VPN Firewall
Appendix I: User Interface and User Manual Chapter Cross
Reference
This appendix is to show the corresponding index for each chapter and user interface. Users can find
how to setup quickly and understand the VPN Router capability at the same time.
Router overall index is as below.
Category
Sub- category
Chapter
Home
V. Device Spec Verification, Status Display
and Login Password and Time Setting
5.1 Home
Basic Setting
VI. Network
Network Connection
6.1 Network Connection
Traffic Management
6.2 Multi- WAN Setting
255
SSL/IPSec VPN Firewall
Protocol Binding
USB
6.2 Multi- WAN Setting
Please download the manual from Qno official
website.
http://www.Qno.com.tw
QoS
VIII. QoS
Bandwidth
8.1 (QoS)
Management
8.3 Bandwidth Management
Session Control
8.2 Session Limit
IP/DHCP
VII. Port Management
Setup
7.3 DHCP/ IP
Status
7.4 DHCP Status
IP & MAC Binding
7.5 IP & MAC Binding
IP Grouping
7.6 IP Grouping
Port Grouping
7.7 Port Grouping
E- Bulletin&ARP Binding
(Future Feature)
Firewall
IX. Firewall
General Policy
9.1 General Policy
9.2 Restricted Application
Access Rule
9.3 Access Rule
Content Filter
9.4 Content Filter
VPN
X. VPN
Summary
10.1.1 Summary
Gateway to
10.1.2.1 Gateway to Gateway
Gateway
Client to Gateway
10.1.2.2 Client to Gateway
PPTP Setup
10.1.3 PPTP Setup
PPTP Status
10.1.3 PPTP Status
VPN Pass Through
10.1.4 VPN Pass Through
QnoKey
10.2 QnoKey
Summary
10.2.1 -10.2.3 QnoKey Group and Client
QVM VPN
10.3 QVM VPN
QVM Setup
10.3.1 QVM VPN Server Setting
10.3.3 QVM VPN Client Setting
256
SSL/IPSec VPN Firewall
QVM Status
10.3.2 QVM Status
SSL VPN
XI. SSL VPN
Status
11.1 Status
Group Summary
11.2 Group Summary
Group Management
11.3 Group Management
Domain
11.4 Domain Management
Management
User Management
11.5 User Management
Service Resource
11.6 Service Resource Management
Management
Link to Portal
11.7 Link to Portal
Advanced Settings
11.8 Advanced Settings
Advanced Function
XII. Advanced Setting
DMZ Host
12.1 DMZ Host
UPnP
12.2 UPnP
Routing
12.3 Routing
One to One NAT
12.4 One to One NAT
Multiple to One
12.4 One to One NAT
NAT
DDNS
12.5 DDNS
MAC Clone
12.6 MAC Clone
Inbound Load
11.7 Inbound Load Balance
Balance
System Tool
XIII. System Tool
V. Device Spec Verification, Status Display
and Login Password and Time Setting
Password
5.2 Change and Set Login Password and Time
Diagnostic
13.1 Diagnostic
Firmware Upgrade
13.2 Firmware Upgrade
Setting Backup
13.3 Setting Backup
Time
5.2 Change and Set Login Password and Time
System Recover
13.4 System Recover
257
SSL/IPSec VPN Firewall
License Key
12.7 License Key
Port Management
VII. Intranet Configuration
Setup
7.1 Setup
Status
7.2 Status
Log
XIV. Log
System Log
14.1 System Log
System Status
14.2 System Status
Traffic Statistic
14.3 Traffic Statistic
Connection Statistic
14.4 Connection Statistic
IP/Port statistic
14.5 IP/Port statistic
QRTG
14.6 QRTG
258
SSL/IPSec VPN Firewall
Appendix II: Troubleshooting
（1） Block BT Download
To block BT and prevent downloading by users, go to the ―Firewall -> Content Filter" and select
"Enable Website Block by Keywords," followed by the input of "torrent." This will prevent the users from
downloading.
259
SSL/IPSec VPN Firewall
（2） Shock Wave and Worm Virus Prevention
Since many users have been attacked by Shock Wave and Worm viruses recently, the internet
transmission speed was brought down and the Session bulky increase result in the massive processing
load of the device. The following guides users to block this virus' corresponding port for prevention.
a. Add this TCP135-139, UDP135-139 and TCP445 Port.
b. Use the "Access Rule" in the firewall and set to block these three ports.
260
SSL/IPSec VPN Firewall
Use the same method to add UDP [UDP135~139] and TCP [445~445] Ports.
c. Enhance the priority level of these three to the highest.
261
SSL/IPSec VPN Firewall
（3） Block QQLive Video Broadcast Setting
QQLive Video broadcast software is a stream media broadcast software. Many clients are bothered by
the same problem: When several users apply QQLive Video broadcast software, a greater share of the
bandwidth is occupied, thus overloading the device. Therefore, the device responds more slowly or is
paralyzed. If the login onto the QQLive Server is blocked, the issue can be resolved. The following relates to
Qno products and provides users with solutions by introducing users how to set up the device.
a). Log into the device web- based UI, and enter ―Firewall -> Access Rule‖.
b). Click "Add New Rule" under "Access Rule" page. Select "Deny" in "Action" under the "Service‖
rule setting, followed by the selection of "All Traffic [TCP&UDP/1~65535]" from
"the service" and select
"Any" for Interface, "Any" for source IP address (users with relevant needs may select either "Single" or
"Range" to block any QQLive login by using one single IP or IP range), followed by the selection of
"Single" of the "Dest. IP and enter the IP address as 121.14.75.155" for the QQLive Server (note that
there are more than one IP address for QQLive server. Repeated addition may be needed). Lastly, select
"Always" under the Scheduling setting so that the QQLive Login Time can be set. (If necessary, specific
time setting may be undertaken). Click "Apply" to move to the next step.
262
SSL/IPSec VPN Firewall
c). Input the following IP address in Dest. IP repeatedly.
cache.tv.qq.com
loginqqlivedx.qq.com
qqlive.qq.com
58.60.11.145
219.133.49.159
219.133.62.70
58.60.11.146
loginqqlivewt.qq.com
tv1-3t.qq.com
58.60.11.147
58.251.63.13
221.236.11.40
59.36.97.5
loginqqlivexy.qq.com
tv2.qq.com
59.36.97.7
202.205.3.218
218.17.209.17
59.36.97.37
219.133.63.48
After repeated addition, users may see the links to the QQLive Server blocked. Click "Apply" to block
QQLive video broadcast.
263
SSL/IPSec VPN Firewall
（4） ARP Virus Attack Prevention
1. ARP Issue and Information
Recently, many cyber cafes in China experienced disconnection (partially or totally) for a short period of
time, but connection is resumed quickly. This is caused by the clash with MAC address. When virus-contained
MAC mirrors to such NAT equipments as host devices, there is complete disconnection within the network. If
it mirrors to other devices of the network, only devices of this affected network have problems. This happens
mostly to legendary games especially those with private servers. Evidently, the network is attacked by ARP,
which aims to crack the encryption method. By doing so, they hackers may intercept the packet data and user
information through the analysis of the game's communication protocol. Through the spread of this virus, the
detailed information of the game players within the local network can be obtained. Their account and
information are stolen. The following describes how to prevent such virus attack.
First, let us get down to the definition of ARP (Address Resolution Protocol). In LAN, what is actually
transmitted is "frame", in which there is MAC address of the destination host device. So-called ―Address
Analysis‖ refers to the transferring process of the target IP address into the target MAC address before the
host sends out the frame. The basic function of ARP protocol aims to inquire the MAC address of the target
equipment via the IP address of the target equipment so as to facilitate the communications.
The Working Principle of ARP Protocol: Computers with TCP/IP protocol have an ARP cache, in which
the IP address corresponds to the MAC address (as illustrated).
IP
MAC
192.168.1.1
00-0f-3d-83-74-28
192.168.1.2
00-aa-00-62-c5-03
192.168.1.3
03-aa-01-75-c3-06
……
……
For example, host A (192.168.1.5) transmits data to Host B (192.168.1.1) .Transmitting data, Host A
searches for the destination IP address from the ARP Cache. If it is located, MAC address is known. Simply fill
in the MAC address for transmission. If no corresponding IP address is found in ARP cache, Host A will send
a broadcast. The MAC address is ―FF.FF.FF.FF.FF.FF,‖ which is to inquire all the host devices in the same
264
SSL/IPSec VPN Firewall
network session about ―What is the MAC address of ―192.168.1.1"? Other host devices do not respond to the
ARP inquiry except host device B, which responds to host device A when receiving this frame: ―The MAC
address of 192.168.1.1 is 00-aa-00-62-c6-09‖. So Host A knows the MAC address of Host B, and it can send
data to Host B. Meanwhile, it will update its ARP cache.
Moreover, ARP virus attack can be briefly described as an internal attack to the PC, which causes trouble
to the ARP table of the PC. In LAN, IP address was transferred into the second physical address (MAC
address) through ARP protocol. ARP protocol is critical to network security. ARP cheating is caused by fake IP
addresses and MAC addresses, and the massive ARP communications traffic will block the network. The
MAC address from the fake source sends ARP response, attacking the high-speed cache mechanism of ARP.
This usually happens to the cyber cafe users. Some or all devices in the shop experience temporal
disconnection or failure of going online. It can be resolved by restarting the device; however, the problem
repeats shortly after. Cafe Administrators can use arp –a command to check the ARP table. If the device IP
and MAC are changed, it is the typical symptom of ARP virus attack.
Such virus program as PWSteal. lemir or its transformation is worm virus of the Trojan programs affecting
Windows 95/ 98/ Me/ NT/ 2000/ XP/ 2003. There are two attack methods affecting the network connection
speed: cheat on the ARP table in the device or LAN PC. The former intercepts the gateway data and send
ceaselessly a series of wrong MAC messages to the device, which sends out wrong MAC address. The PC
thus cannot receive the messages. The later is ARP attack by fake gateways. A fake gateway is established.
The PC which is cheated sends data to this gateway and doesn't go online through the normal device. From
the PC end, the situation is "disconnection―.
For these two situations, the device and client setup must be done to prevent ARP virus attack, which is
to guarantee the complete resolution of the issue. The device selection is advised to take into consideration
the one with anti-ARP virus attack. Qno products come squarely with such a feature, which is very
user-friendly compared to other products.
2. ARP Diagnostic
If one or more computers are affected by the ARP virus, we must learn how to diagnose and take
appropriate measures. The following is experience shared by Qno technical engineers with regard to the ARP
prevention.
Through the ARP working principle, it is known that if the ARP cache is changed and the device is
constantly notified with the series of error IP or if there is cheat by fake gateway, then the issue of
disconnection will affect a great number of devices. This is the typical ARP attack. It is very easy to judge if
there is ARP attack. Once users find the PC point where there is problem, users may enter the DOS system to
265
SSL/IPSec VPN Firewall
conduct operation, pining the LAN IP to see the packet loss. Enter the ping 192.168.1.1 (Gateway IP address)
as illustrated.
If there are cases of packet loss of the ping LAN IP and lf later there is connection, it is possible that the
system is attacked by ARP. To verify the situation, we may judge by checking ARP table. Enter the ARP -a
command as illustrated below.
It is found that the IP of 192.168.1.1 and 192.168.252 points to the same MAC address as
00-0f-3d-83-74-28. Evidently, this is a cheat by ARP.
3. ARP Solution
Now we understand ARP, ARP cheat and attack, as well as how to identify this type of attack. What
comes next is to find out effective prevention measures to stop the network from being attacked. The general
solution provided by Qno can be divided into the following three options:
a) Enable “Prevent ARP Virus Attack”:
Enter the device IP address to log in the management webpage of the device. Enter ‖Firewall-> General‖
and find the option "Prevent ARP Virus Attack" to the right of the page. Click on the option to activate it and
click "Apply" at the bottom of the page (see illustrated).
266
SSL/IPSec VPN Firewall
b) Bind the Gateway IP and MAC address for each PC
This prevents the ARP from cheating IP and its MAC address. First, find out the gateway IP and MAC
address on the device end.
On every PC, start or operate cmd to enter the dos operation. Enter arp –s 192.168.1.1 0a-0f-d4-9e-fb-0b
so as to finish the binding of pc01 as illustrated.
For other host devices within the network, follow the same way to enter the IP and MAC address of the
corresponding device to complete the binding work. However, if this act restarts the computer, the setting will
be cancelled. Therefore, this command can be regarded as a batch of processing documents placed in the
activation of the operation system. The batch processing documents can be put in this way:
267
SSL/IPSec VPN Firewall
@echo off
arp -d
arp -s Router LAN IP
Router LAN MAC
For those internal network attacked by Arp, the source must be identified. Method: If the PC fails to go
online or there is packet loss of ping, in the DOS screen, input arp –a command to check if the MAC address
of the gateway is the same with the device MAC address. If not, the PC corresponding to the MAC address is
the source of attack.
Solutions for other device users are to make a two-way binding of the IP address and MAC address from
both of the PC and device ends in order to carry out the prevention work. However, this is more complicated
because the search for the IP and address and MAC increases the workload. Moreover, there is greater
possibility of making errors during the operation.
c) Bind the IP/MAC Address from Device End:
Enter ―Setup‖ under DHCP page. On the down right corner of the screen, there is ―IP and MAC Binding,‖
where users may create IP and MAC binding. On ―Enabled,‖ click on ―√‖ and select ―Add to List.‖ Repeat
these steps to add other IP addresses and MAC binding, followed by clicking ―Apply‖ at the bottom of the
page.
268
SSL/IPSec VPN Firewall
After an item is added to the list, the corresponding message will be displayed in the white block on the
bottom. However, such method is not recommended because the inquiry of IP/MAC addresses of all hosts
creates heavy workload. Another method to bind IP and MAC is more recommended because of easy
operation, reducing workload and time efficiency. It is described in the following.
Enter ―Setup‖ under the DHCP page and look for IP and MAC binding. On the right, there is an option of
"Show new IP user" and click to enter.
269
SSL/IPSec VPN Firewall
Click to display IP and MAC binding list dialog box. In this box, the unbinding IP and MAC address
corresponding to the PC are displayed. Enter the "Name" of the computer and click on "Enabled" with the
display of the ―√‖ icon and push the option on the top right corner of the screen to confirm.
Now the bound options will display on the IP and MAC binding list (as illustrated in Figure 5) and click
"Apply‖ to finish binding.
270
SSL/IPSec VPN Firewall
Though these basic operations can help solve the problem but Qno's technical engineers suggest that
further measures should be taken to prevent the ARP attack.
1.
Deal with virus source as well as the source device affected by virus through virus killing and the
system re-installation. This operation is more important because it solves the source PC which is attacked by
ARP. This can better shelter the network from being attacked.
2. Cyber café administrators should check the LAN virus, install anti-virus software (Ginshan Virus/Reixin
must update the virus codes) and conduct virus scanning for the device.
3. Install the patch program for the system. Through Windows Update, the system patch program (critical
update, security update and Service Pack)
4. Provide system administrators with a sophisticated and strong password for different accounts. It
would be best if the password consists of a combination of more than 12 letters, digits, and symbols. Forbid
271
SSL/IPSec VPN Firewall
and delete some redundant accounts.
5. Frequently update anti-virus software (virus data base), and set the daily upgrade that allows regular
and automatic update. Install and use the network firewall software. Network firewall is important for the
process of anti-virus. It can effectively avert the attack from the network and invasion of the virus. Some users
of the pirate version of Windows cannot install patches successfully. Users are advised to use network firewall
and other measures for protection.
6. Close some unnecessary services and some unnecessary sharing (if the condition is applicable),
which includes such management sharing as C$ and D$. Single device user can directly close Server service.
7. Do not open QQ or the link messages sent by MSN online chatting tools in a causal manner. Do not
open or execute any strange, suspicious documents, and procedures such as the unknown attachment
enclosed in E-mail and plug-in.
4. Summary
ARP attack prevention is a serious and long-term undertaking. The above methods can basically resolve
the network problems caused by ARP virus attack. Moreover, clients who adopted similar methods witness
good results. However, it is important that network administrators pay special attention to this problem rather
than overlooking the issue. It is suggested that the above measures can be adopted to prevent ARP attack,
reduce the damage, enhance the work efficiency, and minimize economic loss.
272
SSL/IPSec VPN Firewall
Appendix III: Qno Technical Support Information
For more information about the Qno's product and technology, please log onto the Qno's bandwidth
forum, refer to the examples of the FTP server, or contact the technical department of Qno's dealers as
well as the Qno's Mainland technical center.
Qno Official Website
http：//www.Qno.com.tw
Dealer Contact
Users may log on to the service webpage to check the contacts of dealers.
http：//www.qno.com.tw/web/where_buy.asp
Taiwan Support Center：
E- mail：[email protected]
273

Top types

Top brands

Top types

Top brands

Top types

Top brands

Top types

Top brands

Top types

Top brands

Top types

Top brands

Top types

Top brands

Top types

Top brands

Top types

Top brands

Top types

Top brands

Top types

Top brands

Top types

Top brands

Top types

Top brands

Download User Manual